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^_>^ ' We propose a realizability interpretation of a system for quantier free arithmetic which is equivalent 

Cn ' to the fragment of classical arithmetic without nested quantiers, called here EMi-arithmetic. We 

►^._^, interpret classical proofs as interactive learning strategies, namely as processes going through 

rrt ' several stages of knowledge and learning by interacting with the "environment" and with each 

other. We give a categorical presentation of the interpretation through the construction of two 

suitable monads. 

f*"~. ' Categories and Subject Descriptors: D.1.1 [Software]: Applicative (Functional) Programming; D.1.2 [Software]: Auto- 

matic Programming; F.1.2 [Theory of Computation]: Modes of Computation — Interactive and reactive computation; 
F.4.1 [Mathematical Logic]: Lambda calculus and related systems — Proof Theory; 1.2.6 [Artificial Intelligence]: Learn- 

_ ing — Induction 
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> ■ 1. INTRODUCTION 

f~^ ^ Since the discovery, by Godel, Gentzen, Kreisel and others, of interpretations of the classical into the 

0^ ■ intuitionistic logic, it has been held that classical proofs should have a constructive significance, which 

Cn I logicians and computer scientists may envisage as their computational content. This soon appeared, 

l/^ ■ and still remains, one of the more promising fields of application of logic to mathematics and computer 

^P I science, with a positive contribution by logic rather than the finding of negative results only. 

The impressive amount of work by several authors carried out so far has produced a rich deal of 
suggestive ideas and results supporting them; however, in our opinion, a convincing account of the 
nature of such a content is still missing, either because of its indirect description through translations 
and interpretations, or because the proposed approaches are based on almost magic properties of formal 
5^ ■ systems (think of Godel's dialectica interpretation and of its usage together minimal logic, or Friedman's 

C^ I A-translation), or because of the too fine grained analysis, often at the level of logical connectives and 

quantifiers on which they rely. The discomfort with such descriptions of the constructive content of 
classical proofs becomes more evident when looking at the "algorithms" one obtains by means of the 
known techniques, which are, worse than inefficient, impossible to follow and likely far away from the 
ideas on which the proofs were based. 

We wish to go a further step into a recently emerged approach, which in our view originates from 
the game theoretic account of logic and arithmetic, and especially Coquand's semantics of evidence in 
[Coquand 1995]. We look for an explicit description of the constructive meaning of proofs, possibly 
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relating the obtained algorithms to the proof ideas they should come from. The basic intuition is that 
of understanding proofs as strategies, by which a finite agent learns how to ensure the truth of the proof 
conclusion. We emphasize here the point of learning in the limit as the distinctive feature of the approach 
we are developing. Learning is an interactive process in which (general) hypothesis are raised and tested 
against (particular) facts, possibly realizing that some wrong guesses have been made and reacting in 
some clever way. Also learning is an intrinsically unbounded process, in the sense that its goal is never 
definitely attained: or at least, the learning agent could not be able to decide to have been eventually 
successful. 

A rough account of this follows the lines of Tarski semantics of formulas and of Kleene realizability 
interpretation of quantifiers, but for the crucial case of the existential quantification. As a basic assump- 
tion let us take for granted that quantifier free sentences (hence without any occurrence of variables, 
neither bound nor free) can be checked against truth by direct computation. A strategy for Va; A(x) is 
a uniform method telling how to learn about A(c) for any possible choice of the (individual denoted by) 
the constant c. The learning of the truth of 3x A{x), instead, involves the guessing of a c such that A{c) 
can be learned to be true, without being c computable in general. By this reason a guess cannot be 
regarded as a definite choice, rather as a tentative one: if and when an evidence should occur against its 
correctness, the learner has to be instructed on how to backtrack her guesses and try some new guess. 

Consider for concreteness the excluded middle law, EM, that we write in the suggestive form: 3x A{x) V 
\/y^A{y). Rephrasing in the learning scenario Coquand's dialogic interpretation of this law, the learning 
of EM begins by assuming Vj/-iA(y), which is by the above the strategy of learning ~'A{c) for any 
arbitrary choice of c. If an evidence occurs that A{c') should be true for some specific c', then the learner 
changes her mind and backtracks to the point where the previous assumption was made; she takes now 
A{c') as her new guess suspending at the same time her assent to all the consequences that have been 
drown from the incompatible assumption that -iA(c'). 

This process involves a memory, recording of all the previous guesses and of the logical dependencies 
among them, and it could be very complex depending on the logical complexity of A. If it is a quantifier 
free closed formula, however, A is decidable by our basic assumption, so that the discovery that A(c') 
actually holds for some c' is definite, and all the consequences drown from its negation can be simply 
forgotten: this is what is called 1-backtracking in [Berardi et al. 2005]. In the case of a more complex 
formula A the learner might realize to have been wrong in discarding Wy-iA^y), and even to have been 
wrong in her belief to have been wrong: in other words she might be in place to resume her own rejected 
guesses, but also to resume her negative attitude toward some of them, and so on. 

A learning process of this guise is not guaranteed to terminate in principle, and it would be contradictory 
with the undecidability of the Halting problem to ask that, even if the learning process comes out from 
a sound proof, it should reach a perfect knowledge within a finite number of steps and effectively. It 
is at this point that we resort to Gold's idea of learning in the limit (see [Gold 1965; 1967]). A sound 
learning strategy (a winning strategy in the game theoretic jargon) should guarantee that the learner 
can be wrong in her guessing only finitely many times, so that she will eventually hold her final guesses 
without any further change of her mind because of the discovery of some counterexample. The trick is 
that, while the process of generating and discarding the guesses is effective, one accepts that, except in 
particular cases, it is undecidable whether the definite guess has been reached or not. 

Learning in the limit in the sense of Gold is not sufficient for interpreting proofs of the whole classical 
arithmetic. It corresponds to the 1-backtracking fragment which we call here PRA -|- EMi, and which 
is essentially Hayashi's Limit Computable Mathematics [Hayashi 2006]. We have studied in [Berardi and 
de' Liguoro 2009] the concept of limit in the general case of unbounded backtracking, thought always of 
well-founded depth; but a precise description of the interpretation of formal proofs into learning strategies 
is a quite challenging task, especially because we do not want to alter the form of the conclusion, nor 
the proof itself by translating and forcing them into some normal form, because classically equivalent 
formulas and proofs might embody different constructive ideas. 
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Being aware of the difficulty, in this paper we address the issue in the hmited case of the quantifier free 
fragment of Heyting arithmetic, HA, known as primitive recursive arithmetic, PRA. As it is explained 
in the next section, we add to such a theory the existential quantification only to the extent of expressing 
EMi, which is EM when 3x A{x) is S]*, that is when A is decidable. We do this by adding Skolem 
functions to the language Co of PRA, in a way which is reminiscent of Hilbert's e-terms, so that one 
does not need to consider nested quantifiers in the technical development. We then rephrase EMi by 
means of new axioms implying that, for each primitive recursive predicate P of arity fc + 1 there is a fc-ary 
function symbol <fip such that 

P(f,y) -^ P{x,<fip{x)). 

The effect of (fp is to choose a y making P{x,y) true if such a y exists depending on the parameters x; 
(pp{x) = (or any other default value) otherwise. But the function denoted by ipp does not need to be 
computable; we view its values as guesses for y instead, and accept the idea that the individual denoted 
by a term including the symbols ipp might change while the learner's finite knowledge of the standard 
model grows. 

We represent a state of knowledge by a finite set of atomic closed formulas P(m,n) which have been 
found to be true by the learner in the standard recursion theoretic model of PRA, and such that 
they uniquely define a finite part of the relative Skolem functions (pp. Therefore by simply taking 
finite supersets of some given state of knowledge as its extensions, we see that there are in general 
many incompatible ways of enlarging the learner knowledge, which correspond to the possible choices for 
defining the guessing functions (pp. To account for the dependency of the meaning of terms and formulas 
on the state of knowledge we interpret the individuals and the statements of the theory into functions 
from states to natural numbers and booleans respectively. Because of this a formula which was deemed 
false in some state s might become true in some state s' D s; but note that also the opposite is possible. 

The way out from such a seemingly chaotic situation is the redefinition of the concept of individual as 
a dynamic object. An individual a, also called a strongly convergent function, is a mapping from the set 
of states § to some set of values X, such that given any countable sequence of states sq C si C S2 ^ • • • 
which is weakly increasing w.r.t. the extension relation, a{si) is eventually constant. An individual is a 
dynamic or perhaps an epistemic concept, since it clearly evolves along the history of a learning process 
depending on the actual experiments made by the learner. In the case of a formula A a more concrete 
description of the learning strategy is a searching procedure that, given some initial state soj produces 
consistent extensions si, S2, . . . of it, such that the meaning of A, which is a function in § — > B (where B 
is the set of truth values) eventually becomes true. 

We prove that under a natural lifting of the standard interpretation of terms and formulas from the 
language Cq, into functions from § to N and from § to B, terms and formulas always denote dynamic 
individuals, provided that the variables occurring in them are also interpreted by individuals in the new 
sense. We eventually obtain the desired result of having the whole language Ci of the theory PRA + EMi 
uniformly interpreted into the same kind of mathematical objects. 

Describing the model in terms of type theory, individuals inhabit the types of the shape SX = S — > X; 
the meaning of S is that of a strong monad in the sense of [Moggi 1991] , which we call the state monad, that 
can be seen as a type constructor. If we take for simplicity the category of sets as our base interpretation 
category, then S is an cndofunctor of Set for which there exist an (injectivc) inclusion rj^ : X — > SX 

and an extension map _* : (A ^ SY) -^ {SX -^ SY), satisfying a suitable universality condition. SX 

s 
does contain more than individuals, but we characterize the functions of the shape /* as those treating 

the state as a consistent approximation of the definition of truth, by using only the value a(s) in the 

evaluation of /* (a, s). Since a is the denotation of a term t or of a formula A, this amounts to evaluate 

all the parts of t and A into the same s, which is a sort of global state: by this we say that a function 

/* has a global state, and call it global for short. Global functions have the pleasant property of sending 

individuals to individuals, and to be determined by their behaviour over the image of ri'^(X) into SX. 
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The desired result of having terms and formulas denoting individuals is obtained by interpreting function, 
predicate and even connective symbols into global functions. 

The relation with 1-backtracking is apparent from the fact that an individual might change its value 
only finitely many times along some given sequence of states of knowledge; this is further clarified by 
the fact that for each tuple of numbers to the value of (pp{m) is definitely set to n by adding the 
information P(rn,n) to the current state; but we have to allow for a finite number of changes, and not 
just one, because the arguments of (pp might well be variables (hence dynamic individuals) and because 
of the possible nesting of the (pp symbols, by which the tuple of arguments rh = d(s) (for a vector a of 
individuals and some newly reached state s) in ipp{rh) might also change. 

The interpretation of the language Ci into individuals is just a first ingredient of the model; indeed 
the natural question arises of what can we say about the meaning of A when PRA + EMi \- A. A 
simple minded answer is that it is an individual always converging to true. But this is not the case: 
indeed it is not difficult to find an A and an s £ S such that PRA + EMi h A and A is false in s: then 
the sequence a{i) — s for alH G N is weakly increasing, and A is definitely false along a. The problem 
cannot be overcome by restricting to strictly increasing sequences, since the state s can be extended by 
adding information which is irrelevant to A (say P(to, n) for a predicate P not occurring in A). A subtler 
property holds instead: if PRA + EMi h A then for any s we can effectively find an extension s' ^ s 
such that A is true in s', namely the subset of states in which A is true is cofinal in § w.r.t. the extension 
ordering. 

The main result of the present paper is a semi-constructive proof of this claim^ . Suppose that PRA + 
EMi h A. Given an arbitrary initial state sq we construct a weakly increasing sequence a = Sq, si, . . . 
such that A is eventually true along a. The construction is a learning process which is however not blind 
search: it is the proof of A that embodies the searching strategy, which is at the same time continuous 
to depend only on a finite amount of information, coherent to produce sensible answers, and strongly 
convergent to ensure that the desired goal of making A true will be eventually reached. 

An interactive realizer is a function r G S{S) = § — > § which satisfies the above requirements to 
interpret a proof. By profiting of the improved exposition of the model in [Aschieri and Berardi 2009] 
w.r.t. its very first presentation in [Berardi 2005] and [Berardi and de'Liguoro 2008], we see a realizer r as 
computing a state r{s) which is compatible with s and includes only what is needed to proceed toward the 
validation of a formula A. Suppose that the free variables of A(x) are just x (an inessential restriction), 
and let a G iSN be the individual interpreting x given by some environment mapping ^ : Var — > iSN; 
then we say that r forces a into A, and write r \\- a : A, ii for any s G §, if r{s) is the empty set 
(the trivial state _L) then A{a{s)) is true in s. We call the subset of such states the prefix points of r, 
written Prefix{r), since the definition we have adopted immediately implies that r{s) = _L if and only 
if ^(s) ^ s. The existence of a search by means of r out of an arbitrary starting state sq implies that 
Prefix{r) is cofinal in S, which is the way we understand the definite catch of the values of a into the set 
{n G N I A{n) is true}. 

There is a subtle difficulty with this concept of forcing, which otherwise could be confused with the 
homonym Kripke's relation between possible worlds and formulas. We have observed above that even if 
the knowledge grows, the best that we can hope is that a formula which is a theorem of PRA + EMi will 
become eventually true along certain (weakly) increasing sequence of states, that are comparable to the 
branches of a tree-form Kripke model. This is clearly weaker than Kripkes's forcing, which is monotonic 
along the paths of a model formed by the accessibility relation; since a statement is valid in a Kripke 
model if it is forced at the root of the tree of possible worlds, it is forced by every possible world in the 
model. Also terms take a fixed denotation in Kripke models as soon as they come to "existence" in a 
possible world, so that they have been also called "rigid designators" in [Kripke 1972]. We observe that 
this exactly mirrors the intuitionistic view of the validity of existential assertions, whose construction is. 



^A constructive proof can be given, however, and it can be used to produce effective bounds to tfie time complexity of the 
extracted algorithms. See [Aschieri 2011]. 
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according to the Brouwer-Heyting-Kolmogorow interpretation, a pair of an individual (in the standard 
sense) and of a constructive proof that it satisfies a given property, where the individual part, as well the 
proof, must be known at once. 

In the case of our model, on the contrary, the denotations of terms and formulas change with the state; 
but the state is the only way for a realizer to force a into the goal A: it is like pointing at some target which 
is moved by a side effect of the shots themselves, that can be eventually hit only through an interactive 
process of trials and errors. The interaction, therefore, depends on factors that are independent of the 
proof, like the given a and the starting state of knowledge: this is our account of why the interpretation 
of a non constructive proof of A is an unpredictable (morally non-deterministic) process, whose actual 
behavior depends on the interaction with the "environment" , namely any other proof using A as a lemma 
and interacting with the same state. 

Coming back to the interpretation of proofs we now sketch how a realizer can be constructed out 
of them. In our model the forcing relation relative to some statement ^ is a binary relation between 
realizers and dynamic individuals, so that it is included into 5(§) x iS(N): we consider TIX — 5(N) x iS(§) 
for historical reasons and because of the isomorphism with the object part of the side effect monad 
8X = § — > (N X S). Indeed it turns out that "R. is itself a monad, whose extension operation _* is 
defined by means of a binary operation ® over 5(S), allowing to combine two realizers r and r' into a 
new one r ®^ r' . We call the so obtained realizer the merge of r and r', which is nothing else than the 
resulting interaction between r and r', where each of them is engaged in satisfying its own goal, namely 
the premises of an inference rule in the proof. This operation can be constructed in several ways, but it 
is axiomatically definable as the lifting to iS(S) of a binary operation (g) over § which is a monoid with 
unit _L and satisfying a few additional requirements. As a consequence, ^ is a monoidal operation too, 
that is essential to combine the realizers of subproofs to obtain a compositional interpretation of a proof 
in terms of interactive realizers. 

The interactive realizability theorem establishes that for any theorem A of PRA + EMi and any 
interpretation a of its free variables into individuals, there is a realizer r(a) such that r(a) \^ a : A. As 
a byproduct we establish that, given a formula A{x, y) of PRA such that PRA + EMi h A{x, ipp{x)), 
where P is the primitive recursive predicate defined by A, we can extract an effective searching method 
out of the very proof of A, which is capable of forcing the interpretation of the free variables in A to 
values that satisfy A, possibly in some extension of the given state of knowledge, and actually in the 
interpretation of A in the standard classical model of arithmetic. The value computed by (pp is such 
that A holds, but it is not necessarily the best chosen one w.r.t. all possible usages of A. By merging 
the realizer of A with that of some proof that uses A as a lemma, we obtain a new realizer that may 
resume the search processes of its components, possibly leading to a new valuation of the ifp. The so 
obtained searching method is then an interactive algorithm reflecting the structure of the proof, that 
often embodies a cleaver and efficient idea of how to search for a partial, but locally sufficient knowledge 
of the otherwise infinite classical model of arithmetic. 

2. PRIMITIVE RECURSIVE ARITHMETIC PLUS EMi AXIOM 

The theory of primitive recursive arithmetic, called PRA in [Troelstra and van Dalen 1988] (see vol. 1, 
chapter 3, section 2), is essentially the quantifier free fragment of Heyting arithmetic with equality. The 
language Cq of PRA contains free variables for natural numbers, the constants and succ for zero and 
successor respectively; further it includes a function symbol f , g, . . . for each primitive recursive function, 
the symbol = for equality and the connectives ->, A, V and — >. To this list we add symbols for primitive 
recursive predicates P, Q, . . . each with a fixed arity. 

For presenting PRA we consider the following deductive system: the logical axioms are those of IPC, 
the intuitionistic predicate calculus, plus the axioms for equality; the non logical axioms include the 
defining equations of all primitive recursive functions and -> succ(O) = 0. As explained in [Troelstra and 
van Dalen 1988], the formula succ(a;) = succ(y) -^ x = y is derivable, and needs not to be assumed as an 
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axiom. Inference rules are: 

A^ B A A(x) A(0) A(x) -^ A(succ(x)) 

MP SUB IND 

B A{t) A{y) 

where in rule SUB the premise A{x) has been derived from hypothesis not containing x. 

By A(x) wc mean that x possibly occurs in A, and A{t) denotes the same as the more explicit writing 
A[i/x], namely the substitution of t for x in A. Although there are no bound variables in the formulas 
of Co, we speak of the sets FV(i) and FV{A) of the free variables occurring in t and A respectively. 

In [Troclstra and van Dalen 1988] a more general quantifier free version of the induction rule is con- 
sidered, namely: 

A{Q) A{x) -^ A{succ{x)) 

This rule is however admissible by the rules IND and SUB above, by choosing a fresh y in the conclusion 
of IND. 

The standard model of PRA interprets terms into N, the set of natural numbers, and function and 
predicate symbols into their recursion theoretic counterparts. In the next sections we make use of the 
simply typed A-calculus with numerals and recursors, known as Godel system T (see e.g. [Girard 1989]), 
for describing our interpretation and constructions: it is then natural to see the standard model of 
PRA inside the set theoretic model of the typed A-calculus, and to consider predicates as denoting 
functions with values in the set B = {true, false} instead of number theoretic functions with values in 
{0, 1} as usual. Because of the absence of quantifiers, it is routine to show that any formula A lE Cq with 
FY (A) C {xi, . . . ,Xk} defines a k-aiy primitive recursive predicate. 

PRA is a fragment of the constructive arithmetic HA; however all the instances of the excluded middle 
which arc expressible in the language Cq are derivable in this theory. 

Proposition 2.1. For all A e Co it is the case that PRA h A\/ ^A. 

Proof. See [Troelstra and van Dalen 1988], Prop. 2.9. D 

As a consequence we could freely assume the axioms of CPC, the classical propositional calculus, in 
place of IPC. The essential point here is that the absence of quantifiers makes excluded middle into an 
intuitionistically acceptable principle w.r.t. to an oracle evaluating the function symbols occurring in A. 
Indeed at the hearth of the proof of Proposition 2.1 is the fact that we can prove e.g. f (a?) = g(a;) Vf (x) 7^ 
g{x) by simultaneous induction (which is admissible in PRA), which is possible only because this formula 
does not express that f and g are either equal or different functions, as this last statement requires the 
existential quantification. 

Let us call EMi the following schema, with A E Co such that FV(^) C x, y: 

(EMi) \fx.3y A{x,y)y'iy^A{x,y). 

EMi is just an instance of the law of excluded middle where 3y A{x, y) is a S^ formula with parameters, 
and it is called the E^'LEM principle in the hierarchy studied by Akama et alii in [Akama et al. 2004]. 
EMi uses nested quantifiers, hence it is not expressible by a formula in Co- To find a quantifier free 
equivalent of EMi let us consider its classically equivalent prenex and skolcmizcd normal form: 

Vf , y. A{x, ip{x)) V ^A{x, y), 

which on turn is (classically) equivalent to 

Vf , y. A{x, y) -^ A{x, ip{x)). 
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Then we split it into two quantifier free axiom scfiemata, for reasons that will be apparent from the 
technical development in the subsequent sections of this work: 

(x) P{x,y) -^xp(^) 

if) Xp{x) -^ P{x,ipp{x)) 

where P is a primitive recursive predicate of arity k + I and ipp and xp are a function and a predicate 
symbol of arity k respectively. By axioms (x) and ((/?) the actual meaning of xp(2^) is the predicate 
3y. P{x,y). Concerning the meaning of (pp we note that the derivable implication P(x,y) -^ P{x, ipp{x)) 
is an instance of the critical axiom of Hilbert's e-calculus [Hilbert and Bernays 1970], writing ipp{x) in 
place of syP{x,y), with the restriction that P has to be primitive recursive. Asking that P is primitive 
recursive is equivalent to the restriction that the A in EMi has to be a formula in Co, since by the above 
remark, these formulas exactly define primitive recursive predicates. 

Let £i be the language of the quantifier free predicate calculus defined as Cq by adding the new symbols 
(/?P and Xp to the list of function and predicate symbols respectively for each predicate symbol P of Cq: 
then Cq C Ci, and the definitions of free variables and substitution apply to £i terms and formulas 
unchanged. Finally, with a slight abuse of notation, we call PRA + EMi the theory PRA + (x) + (ip), 
which is obtained by adding all symbols xp a-i^d fp a-^id all instances of the (x) and ((p)-axioms to the 
axioms of PRA. 

We finish this preliminary section by observing that PRA + EMi is a proper extension of PRA, which 
can be argued by taking in the axioms (x) and {(p) the Klccnc predicate as P: the resulting instances 
are indeed intuitionistically unacceptable principles. As a matter of fact the xp predicates and the (pp 
functions are only recursive in the halting problem. On passing we note that Proposition 2.1 still holds, 
namely PRA + EMi \- AW -^A for any A G £i, and by the same proof. 

3. THE STATE MONAD AND A CONSTRUCTIVE INTERPRETATION OF PRA + EMi FORMULAS 

Let Rq, Ri, ... be a denumerable list of predicate symbols in the language of PRA. We assume that it 
is an exhaustive enumeration of primitive recursive predicates, in the sense that i is the Godel number 
of a definition in PRA of some primitive recursive predicate, associated to R^. The R^ are called simply 
predicates, for which we shall freely use letters P, Q, . . . possibly with indexes. We write P = Q if and only 
if both P and Q refer to the same Ri, i.e. to the same syntactical definition of the relative predicate: hence 
= is dccidablc. As said in Section 2, by the standard model we mean the standard classical interpretation 
of PRA, thought seen in the set theoretic model of system T. Except when treating of the semantic 
interpretation mapping, we write ambiguously P(m,n) for P(rn,n), where P is the primitive recursive 
predicate interpreting P. 

Definition 3.1 States of Knowledge. A state of knowledge (shortly a statej is a finite set: 

s =: {(Pi,mi,ni),. .., (P;,m;,n;)}, 

such that Pi, . . . , P/ are predicate symbols, and each Pi is a predicate of arity ki + 1, where ki is also the 
length of rfii, and: 

{!) (model condition^; Piifhi^rii) is true in the standard model for all i= I,. . . ,1; 
(2) (consistency condition^; if Pi = Pj and fhi — rhj then rii — Uj. 

We call § the set of states of knowledge. 

A state of knowledge is a finite piece of information about the standard model of PRA: it says for 
which tuples of natural numbers the predicates Pi are known to be true (by the model condition) . The 
consistency condition implies that in each state of knowledge s there exists at most one witness n of the 
existential statement 3y.P{rn, y) for each predicate P and tuple of natural numbers rn. This n will be the 
value of ipp{rfi) in the state s. 
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States of knowledge can be presented as a structure (S, C,_L,U), where (§, C) is the partial order 
defined by s C s' if and only if s C s'; it has a bottom element ± = and join of compatible states, 
s U s' = s U s', where s, s' are compatible, written s 'f s' , if s, s' C- s" for some s" £ S, or equivalently if 
whenever (P,m,n) S s and (P,m, n') £ s' it is the case that n — n' . S is also closed under (arbitrary) 
intersections, and it is downward closed w.r.t. C, namely subset inclusion. 

The set S is decidable, for which it is essential that the equality Pi = Pj is an identity of definitions, 
being the equivalence of primitive recursive predicates undecidable. By the finiteness of the states s G §, 
the order and the compatibility relations are computable, as well as the join of two compatible states. 

The language £i of PRA + EMi adds to Co the symbols xp ^nd (pp for each predicate symbol P of 
Cq. To interpret the theory PRA + EMi we begin by giving meaning to these symbols. 



Definition 3.2. For each predicate symbol P of arity k + 1, let \xp\ : N*^ x § — ^ B &e defined by: 

|Xp1(to, s) : 



true if (P, rn,n) E s for some n, 
false otherwise. 



Similarly define |(/3p] : N'^ x § ^- N by: 

|(/?p] (m,s) = 



n if (P, m, n) G s for some n, 
otherwise. 



Because of the consistency condition in Definition 3.1, the value of |</?p](m, s) is unique. However there 
exist states s such that |(/3p](to, s) ^ |</'Q]("i, s) even if P and Q are equivalent as predicates, though they 
have different indexes. In this case P (and its equivalent Q) denotes a non functional predicate; ipp and 
ifQ are also different symbols, that in some models denote distinct Skolem functions. 

Clearly both |xp](7Ti, s) and |</?p](to, s) are computable. Note that the decidability of |xp](m, s) makes 
the default value of |(y9p](m, s) effectively distinguishable from its possible proper value 0, according to 
the fact that (P, m, 0) G s or not. In any case the meaning of (fp is a total computable function. 

Lemma 3.3 Monotonicity of |xp]. Let s C s', for s, s' G S; 

(-?) 'iflxp]{m,s) =true then |xp](m,s') = true; 

(2) the inverse implication does not hold in general. 

Proof. Immediate: for the second claim take any P,rn,n such that P(m, n) is true, s ^ J-, s' ~ 
{(P,TO,n)}. n 

In order to extend the standard interpretation of PRA to a constructive interpretation of PRA+EMi, 
though in a richer model, we let the meaning of any term and formula depend on an extra parameter in 
§, even if this is essential only when symbols (pp or xp occur in the term or formula. 

To this aim we use a (strong) monad; following [Moggi 1991] we present monads as Kleisli triples. 
We quickly summarize the needed concepts and definitions: see [Moggi 1991] for a treatment of strong 
monads and of their use for giving the semantics to "computational" types. Let | C\ be the class of objects 
of the category C: 

Definition 3.4 Kleisli Triple. A Kleisli triple {T,r],J) over a category C is given by a mapping 
T : \C\ -^ \C\ over the objects of C, a family of morphisms rjx '■ X -^ TX G C for each X G \C\, and a 
mapping _* such that f* : TX — > TY G C whenever f : X ^ TY G C, and the following equations hold: 

{2) r]*x = IdTx, 

(3) g* o /* == [g* o /)*, where g:Y ^TZ eC. 
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The mapping rjx is the inclusion of X into TX; f* is called the extension of the morphism f : X ^ TY 
to the morphism /* : TX -^ TY. A triple {T,ri,J) defines a new category, the Kleisli category Ct, 
whose class of objects is \C\, and morphisms are Ct[X, Y] = C[X, TY]. The identity Id^ over X € | C| is 
r]x G Ct[X, X] = C[X, TX], and composition is given by: f ' g — f* ° g- Under this reading, the clauses 
of Definition 3.4 imply that Ct is a well defined category. 

Remark 3.5 Monad. Monads arose in category theory for the study of adjunctions (see e.g. [Lane 
1971]), but they have shown to be a fruitful concept also to treat algebraic structures. A monad over a 
category C is a structure (T, rj, fi) where T : C ^' C is a functor, 77 : Id.^ — > T and fx : T^ ^ T (where 
T^ = ToT), called the unit and the multiplication of the monad respectively, are natural transformations 
such that, for all X G | C|: 

MX o Vtx = MX o Trjx == Idrx, Mx o Mtx = Mx o Tfix- 

A triple induces a monad and viceversa (see [Moggi 1991] and the references there). In fact, to extend 
the mapping T : | C| ^ | C| to a functor it suffices to set Tf = {rjY o /)* for / : X — > F; w.r.t. such a 
functor, T] satisfies the naturality condition; to get /i it suffices to set /ix — Id^^. Viceversa given the 
monad {T,ri,iJ,), one recovers the Kleisli extension by /* = /iy o Tf for / : X — > TY. Because of this 
correspondence, we speak of triples and monads interchangeably. 

We work in the category of sets Set, though using only the part of it which models Godel system T. 
Actually we conjecture that our constructions could be generalized to any ccc with a natural number 
object (see [Lambek and Scott 1986]). 

We use the simply typed A-calculus as metanotation: sets are denoted as types and morphisms by 
A-terms. By X ^ Y wc denote the object Y^ , but sometimes also the homset Set[X, F]; X ^ Y ^ Z 
abbreviates X ^ (Y ^ Z), that is the arrow associates to the right. Because of the well known 
isomorphism XxK— >Z~X— >y— >Z, the same function will be written both in the uncurrified form: 
f{x,y) and in the currified one: f xy, according to convenience; also the more familiar notation f{x) is 
preferred to f x. 

The following is a monad, which we call the state monad: 

Definition 3.6 The State Monad. We call the tuple {S,t],J ) the state monad, where: 

SX = S^X w/iereX e |Set I, 

rix(x) = As G §. a; for x G X , 

/*''(«) = As G §. /(a(s), s) for f : X ^ SY e Set and a G SX. 

Until this will not cause confusion, we shall abbreviate 77 by 77 and /* by /*. 

Proposition 3.7. The tuple (5,?7, _*) is a Kleisli triple, hence a monad. 

Proof. By checking the equations of Definition 3.4. For equation (1) let x G X and f : X ^ SY, 
then: 

{.roVx){x) - .r(As.x) - Xs'.f{{\s.x){s'),s') = Xs'.f{x,s') = f{x). 

To see (2), for any a G SY and s G § we have: 

{riY)*{a,s) = T]Y{a{s),s) ^ {X_.a{s)){s) ^ a{s). 

Eventually to check (3) let / be as above, g : Y ^ SZ, a G SX and s G S. Then: 

(5* ° /*)(«, s) = g*{f*{a), s) = g{f*{a, s), s) = g{f{a{s),s),s). 

On the other hand: 

(5* ° /)*(", s) ^ {g* o f){a{s), s) = g*{f{a{s)), s) = g{f{a{s), s), s). 

D 
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Remark 3.8. According to Remark 3.5, the action of 5 over morphisms is: 

Sf = iVY ° /)* 
= XaeSX sE S.{{\y eY s' e S. y) o f){a{s),s) 
= \aeSX s& §./(a(s)) 
= Xa G SX ./ o a, 

for / : X — > y. We call Sf the pointwise extension of /. Note that Sf — Xa ./ o a, hence it is just the 
honi-functor Set(S, — ). 

From Remark 3.5 we know that /i^ — Id^j^, so that by definition unraveling we have that jj.^ is the 
diagonalization of its first argument: 

^^((5, s) = 5{s, s), for any 6 £ S^X and s G §. 

Next we extend the definitions of {xp} and {(fpj in 3.2 and we interpret truth values and numbers 
expressed by terms and formulas in Ci by elements of SM and 5N instead of B and N respectively. For 
the sake of discussion let t and A be any term and formula of Ci respectively such that there is at most 
one free variable occurring in them. In case t E Cq its standard interpretation is a map in N ^ N; if 
instead t €z Ci \ Cq then its meaning should have a similar type than (pp{x) (for some binary P) that is 
an arrow |i] : N ^ 5N; similarly the semantics oi A G Ci\Co should be in N — > SM. To define a uniform 
interpretation of Ci we have two possibilities. The first one is to let terms and formulas to have their 
denotations of type X —^ SY, namely as arrows of the Klcisli category Set^: this is the choice preferred 
in [Moggi 1991]. However in our construction we use types of the form SX — > SY for morphisms, because 
we want to stress that our "individuals" are certain convergent objects in SX for X = N or B (see Section 
4). This is in analogy with the common idea that real numbers are the actual individuals of analysis, 
even if they have been constructed, say, as Cauchy sequences of rational numbers. 

In general given the monad T over the category C we may consider the category C J such that | CJ | = 
\C\ and C^iX,Y) = {/* | / G Ct{X,Y)}, where we recall that CTiX,Y) = C{X,TY). Then it is 
straightforward to see that C^ and Ct are equivalent categories, so that we can work out the interpretation 
of Ci in SetJ without essentially departing from Moggi's theory of computational types. 

More in detail we say that an environment is a map ^ : Var — > iSN and consistently that the interpre- 
tation of a term t of the language £i should be an element |t]^ G iSN. For the basic cases we have the 
unproblematic clauses: 

Hf = e(x), I0]f = r;N(0) = A_.0, 

where we write A_ . • • • for As G §. • • • when • • • does not depend on s. 

Suppose that f is a unary functional symbol, whose meaning in the standard model is the (primitive 
recursive) function / : N — ;> N, and that the interpretation |t]? of the term t has been defined; by taking 
into account Remark 3.5 about the action of S over / we can define: 

If(t)lf = (5/)([tlf) = AsG§./(It]f(s)), 

that is [f]"^ :~ Sf. In the case of predicates we have similarly that, if P : N — ;> B is the interpretation of 
the unary predicate P, then we define [Pl*^ := SP = Aa G iSN s G S.P{a{s)). 

Remark 3.9. The interpretation of a numeral n = succ"0 is a constant function in 5N: if succ : N ^ N 
is the successor function, then for example (by omitting the environment ^): 

|succ(0)l'^ = S{succ)lOf = As G §. smcc((A..O) s) = A_.smcc(0) = A_.l. 

By the interpretation of and a straightforward induction, we have that |n]'^ = A_. n, for all n. 

We step to fc-ary functions and predicates using the construction proposed in [Moggi 1991]. A uniform 
embedding of TXi x • ■ • x TXk into T{Xi x ■ • ■ x Xk) has to be provided, which is constructed by means 
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of the concept of tensorial strength. If the reader is not interested to the treatment of product in the 
theory of monads and computational types, (s)he may skip the Definition 3.10, the Proposition 3.11, and 
take the equations (l)-(4) below 3.11 as definitions of tuple and of the interpretation of fc-ary functions. 

Recall that a category has enough points if it has a terminal object 1, and for all pair of arrows 
/, 5 : X — >• F, if / o a = g o a for all a : 1 — >■ X (called point of X), then f = g. The category Set has 
obviously enough points (actually it is the typical such category), as the terminal object is any singleton 
set {*}, a point x :{*}—> X is just a constant function * ^^ x for some x E X and morphisms are 
set theoretic maps; consequently we can use a more compact definition of tensorial strength than in the 
general case of cartesian categories, on the ground of Proposition 3.4 of [Moggi 1991]. We also recall that 
any category theoretic A-model has enough points, so that the following is not really restrictive. 

Definition 3.10 Tensorial Strength and Strong Monad [Moggi 1991]. Let {T,-q,^) he a 
monad over a category C with finite products and enough points, and !y : y — > 1 the unique morphism 
from Y to the terminal object. A tensorial strength t of (T, r], ji) is the unique family of morphisms 
tx,Y : X xTY ^ T{X x Y) of C such that: 

ya:l^X,b:l^TY. tx.Y o (a, b) = r((ao!y, Idy)) o b. 

If t is a tensorial strength of (T,rj, fi) we say that {T,ri,ji,t) is a strong monad. 

Proposition 3.11 Tensorial Strength of S. The state monad S has a tensorial strength given 
by: 

tx,Y{x,cx) :— As G §. {x,a{s)), 

where (_ , _) is just set theoretic pairing. 

Proof. Set x : {*} — > X to A_.x and a : {*} — > SY to X_.a for x G X and a G SX, which are the 
points such that (tx.y o (x,a))(*) — tx,Y{x,a). Now, by Remark 3.8 and since !r = A_ G Y .*: 

Siixoly, Idy)) = S{{\. G Y .X, Idy)) 

= XP eSY se §.(A. G Y .X, Idy)(/3(s)) 
= XPeSY seS.{x,P{s)), 

which is of type SY — > S{X x Y). Hence : 

(5((xo!y, Idy)) o a)(*) ^{X(3 eSY se S.{x, (3{s))){a{*)) = A s G §.(x, a{s)) = tx.yi^, «), 

and therefore tx.Y ° {x, a) — 5((a;o!y, Idy)) o a as desired. D 

Putting ipx,Y '■= (tx.Y ° csY.x)* ° tsY,x ° cgx.SY, where cx,y : X xY ^ Y x X is the canonical exchange 
isomorphism, we have a function tpx.Y ■ SX x SY -^ S{X x Y) which is the component at X,Y oi a, 
natural transformation (see [Moggi 1991], Remark 3.6). By definition unfolding wc obtain: 

^Px,Y{a, 13) = (a, /3) = A.s G §. (a(s), /3(s)). (1) 

This concludes the categorical detour about strong monads. 

Let eg : N X N ^ B be the equality map: eq{m, n) = true if to = n, eq{m, n) = false else. If |ti]f and 
[i2]f have been defined then: 

(Sieq) o VN,N)(Iti]f , Ml) = 5(eg)(Iti]f , [t^lf ) = As G §.eg(pilf (s), Mf{s)), 

which is natural to take as the interpretation of equality. 
It is straightforward to generalize ip to /c-ary products: 

^x,^...,x, ■.SXiX---xSXk^ S{Xi x---xXk) (2) 
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where, if ai G SXi, . . . , afe G SXk we have: 

V'Xi,...,xJai,---afe) = («!,..., afe) = As e §.(ai(s), . . . , ^^(s)). 

If / : Xi X • ■ • X Xfe ^- Y then we abbreviate: 

/•^ :- 5(/) o ^;f,,...,jf, : 5Xi X • • • X >SXfe ^ SY, (3) 

where if A: = 1 then f'^ := 5(/). 

In particular consider V'n n : (iSN)*^ -^ S{N''), with fc occurrences of N in the subscript of ip, that we 

shall denote shortly by i/'n'= • Then we eventually obtain, for the fc-ary function symbol f and its semantics 
/ : N'^ — > N in the standard model: 

Iff := .f^ = Aai e 5N ... a^ e 5N s e §. /(ai(s), . . . ,afe(s)), (4) 

namely the semantics of f is the pointwise lifting of its meaning in the standard model. The same 
construction works for the /c-ary predicates. Finally we abuse notation and write: 

ftppf ■- lippf* otPf^k and Ixpf :== |xp]* o Vn^, (5) 

where [(fip] and |xp] have been defined in 3.2 for all k + 1-ary predicates P of £o, and _* is the extension 
mapping of the monad S. 

In summary the interpretation of PRA + EMi atomic formulas is the following: 

Definition 3.12 Terms and Atomic Formulas Interpretation. Let (_ : Var ^ 5N be an en- 
vironment for the individual variables, and t a term of the language Ci; then |t]? G iSN is inductively 
defined: 
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Ixp(ti,...,ifc)]f = AsgS. [xp]((pi]fW,---,Wf(s), s) 
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where Q : N*^ ^ B is the standard interpretation of Q. Note that in Definition 3.f 2 we do not need to 
mention exphcitly the interpretation of the equahty, which is actually a primitive recursive predicate, 
and hence an instance of Q. 

Let -■: B ^ B be the boolean negation, and A,V,^>BxB — !>Bbe the respective binary boolean 
functions. Then set |*]'^ ;= •'^ for * =-i. A, V, -^. 

Definition 3.14 Non Atomic Formulas Interpretation. If A e Ci is a non atomic formula 
and ^ any environment, then \A\^ G iSB is defined by cases: 

for -k = A, V,^. 

Remark 3.15. The interpretation of formulas considered above has some similarities with Kripke 
semantics of the intuitionistic predicate calculus: in both cases indeed the meaning of a formula is 
indexed over a partial order; more, the states of knowledge can be easily seen as (finite) possible worlds. 
However the monotonicity property of Kripke models fails in our case: 

lAJlis) = true & s C s' 7^ Mf (s') = true. 

As a counterexample to the implication take A :— Xp{^) -^ {x = succ(a;)), where P(x, y) :— x < y, 
s = {(P,l,2)}, s' = {(P,l,2}, (P,0,1)} and ^(x) = A_.0. 

The next lemma states a standard property of the interpretations. We write ^[a; 1— >■ a] for the en- 
vironment whose domain is dom{^) U {x} and which is everywhere equal to ^ but in x where it holds 
a. 

Lemma 3.16 Substitution Lemma. For all t,t',A e C\ and variable x: 



Proof. By induction over t' and A. D 

Proposition 3.17. Let A Cz Ci. If A is either a non logical axiom 0/ PRA, or a logical axiom of 



PRA + EMi, or an instance of the {ip)-axiom, then [yl]? (s) = true for any environment ^ and state s 



Proof. li t,A e Cq let us write |i]?' and 1^]" for the respective interpretations of t and A in the 
standard model w.r.t. the standard environment p : Var — > N. Then an immediate consequence of 
the interpretation of symbols in Cq by pointwise lifting of their standard interpretations is that for all 
environments S, '■ Var — > iSN and s £ §: 

WfW = Wp, and lA]lis)^lA]l, where p^ix) ^ ax,s), 

which can be formally established by an easy induction over t and A. 

Now if A is a non logical axiom of PRA then A <E Cq and |A]" = true for any p, thus |A]^(s) = 
fylff = true for any ^ and s. 

Let A <E Ci he a logical axiom of PRA+EMi. Then there exists an axiom A' of IPC, the propositional 
variables pi,...,pk and the formulas Ai,...,Ak G Ci such that A — A'[Ai/pi, . . . ,Ak/pk]- If V '■ 
Prop Var — > SM is an interpretation of the propositional letters in our model, then by an obvious extension 
of Lemma 3.16 to the propositional variables we have: 

lA'[A,/p,,...,Ak/pk]]l - mln where v{p,,s) = [A,lf(s). 

Then the thesis follows by the fact that A' is a tautology, since IPC is a subtheory of CPC, and by 
reasoning along the same pattern as above. 
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Eventually let A := Xp(2^) ^^ ^(2?, <pp(a;)) be an instance of the (<y9)-axioni, where P is a primitive 
recursive predicate, and let ^ and s be an arbitrary environment and a state respectively. Then 

mf{s) = Bf (Ixp(x)lf,[P(x,^p(a'))lf)(s) = [xp(x)]f(s) ^ IP(f,^p(f))lf(s). 

Now if |xp(2^)lf (s) = [xpK^^i'S) = false, where m = mi, . . . ,ink for some k and mi = ^(xi,s) for all 
i — l,...,fc, then |A]j(s) = true vacuously. Otherwise (P,m,n) G s for some n G N: this implies 
that P(m,n) is true in the standard interpretation and that |(pp(a')]£ (s) = |(pp](m, s) = n, so that 
IP(x, (^p(f))If (s) = |P(m, n)] = true. D 

More is actually true, namely that for any A G £1, if PRA + {(p) \- A then |A]^(s) = true for all 
environment ^ and state s: we do not prove this fact here, since it is a consequence of Theorem 6.17 (see 
Corollary 6.18). 

We also observe that Proposition 3.17 fails in case of the (x)-axiom. Consider the instance P{x,y) —> 
Xp{x), where P(m, n) is true in the standard model for some to, n G N. Then there exist infinitely many 
s G S such that |P(x, y) ~> xp(x)]|^ ^ ^,- ,(s) 7^ true, for which it suffices that d{s) = to, but {P,m,n') 
^ s for any n' G N. Indeed the (x)-axiom is the essential difference between PRA and PRA + EMi. 

4. CONVERGENCE, INDIVIDUALS AND GLOBAL FUNCTIONS 

In the previous section we have introduced a dynamic (or perhaps epistemic) concept of individual, which 
is a map from states of knowledge to individuals in the ordinary sense. In this section we select a subset 
of the maps in <SN and SM that will represent (dynamic) individuals and truth values in our model, and 
show that the denotation of any term and of any formula in the language of PRA + EMi actually is 
such a kind of map. 

Definition 4.1 Sequences, Strong Convergence and Individuals. >1 weakly increasing sequence 
over §, shortly a w.i. sequence, is some countable subset {so,si, . . .} CE> such that: 

So C Sl C 52 C • • • , 

that is it is a mapping cr : N — > S such that if i < j then cr{i) C a{j). Let a G SX : 

(1) a o a is convergent and it has a limit point lim(Q! o a) — x if 

3i Vj. (a o a){i) = {a o a)(i + j) = x; 

(2) a is strongly convergent if for all w.i. sequences a , a o a is convergent. 

We call a strongly convergent a G SX an individual of X . 

When speaking of a G SX, we use the terms individual, strongly convergent or just convergent as 
synonyms. For each a G SX a sequence of states a induces a sequence a o ct of values in X; it has a limit 
if it is eventually constant (namely if it becomes stable), that is we consider the limit w.r.t. the discrete 
topology over X. Individuals are intended to refer to their limits, although these are not necessarily 
unique: in fact the limit of a o cr depends on a in general, so that they can be different for different w.i. 
sequences. 

Definition 4.2 Constant Individuals and Functions with Global State. 

{!) a G SX is a constant individual (or just a constant^ if a ~ A_.x, for some x G X; 
(2) f : SX -^ SY has global state if f{a,s) — f{X_.a{s),s), for all a G SX and s G §. 

A constant individual is trivially convergent, hence it is an individual in the sense of Definition 4.1. Con- 
stant individuals correspond to Kripke's rigid designators (see [Kripkc 1972]), which are terms denoting 
the same object in all possible worlds. 
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Functions with global state, henceforth called global functions for short, can evaluate their functional 
argument a in the second argument s only: that is they have essentially a unique global state, whence 
the name. In fact a non global / : SX — > SY is easily constructed by violating this constrain: let 
a G SX and ft, : § — > § be such that h{s) — s' and a{s) ^ a(s') for certain s, s' € §; then the function 
f :— X/3 .f3 oh is not global since f(a, s) — a{h{s)) — a(s'), while /(A_ .a{s), s) — (A_ .a{s)){h{s)) ~ a{s). 
Note that, if h is strongly convergent, then / sends individuals to individuals, so that the latter property 
is not sufficient for a function to be global. 

Lemma 4.3 Retraction Lemma. Let 

$ : S(X -^Y)^ {SX -^ SY) $(/)(a, s) := /(s)(a(s)) 
* : {SX -^ SY) -^ S{X -^ Y) *(g)(s, x) := g{X-.x, s) 

Then ^ o ^i is a retraction; moreover the image of $ is exactly the set of global functions. 

Proof. Let / e S{X -^Y)=S^{X^Y); then for aU s G § and x e X: 

(vl/ o $)(/)(<,,. t) - a>(/)(A..x,s) - f{s){{X_.x){s)) = f{s,x), 

therefore ^P o $ = Ids(x-^Y), so that ($ o ip) o ($ o v]/) = $ o v]/ follows. Now let a G SX = § -> X and 
s G §; then we have: 

<I'(/)(A..a(s),s) = f{s){{X_.a{s)){s)) - f{s){a{s)) = $(/)(«, s) 

that is $(/) is global. On the other hand ii g e SX ^ SY ^ {§ ^ X) ^ {§ ^ Y) is global and / = *(g) 
then: 

$(/)(«, s) ^ *(.9)(s, a{s)) ^ g{X..a{s),s) = g{a, s) 

that is (<I>o\I/) (g) = g, namely the image of $ is exactly the subset of the global functions in SX -^ SY. D 

As a corollary, global functions are a characterization of "lifted" morphisms: 

Corollary 4.4. A function g : SX -^ SY is global if and only if g = f* for some f : X ^ SY . 
Thus Set J is the largest sub category of Set^ whose arrows are exactly the global functions. 

Proof, li f : X ^ SY then for all a e SX a.nd s e §: 

f*{a,s) = f{a{s),s) - f{{X_.a{s)){s),s) = f*{X_ .a{s),s), 

hence /* is global. Viceversa by Lemma 4.3 if g is global then g = $(/i) = Aa G SX s G S. h{s){a{s)), 
for some h : §> ^ {X ^^ Y) . Set f{x, s) — h{s, x), so that / : X — > SY: then: 

g^XaeSX seS. f{a{s), s) = /*. 

D 

Remark 4.5. By Lemma 4.3 global functions in SX -^ SY are, up to an application of $, families 
of maps in X — !■ y indexed over §. The corollary relates global functions to the extension map _* of the 
state monad. To spell it out further, consider the following: 

F : {X ^Y) ^ {X ^ SY) where F{f) :^ Xx eX X_e §.f{x) 
G : {X ^ SY) -^ S{X -^ Y) where G{g) := Xs G S A.t G X.g{x, s) 
H -.{X ^Y) ^ S{X -^ Y) where H{f) := A _ G §./ 
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Then it is easy to see that the following diagram commutes: 

X ^Y 



F 




SX -^SY 



X - 

Since $ o G = _*, by Corollary 4.4 the image of G is the set of global maps, up to the embedding $. 
By "if o S = H, we see that H is just the action of the functor S over arrows, which is nothing more than 
a pointwise lifting of functions in X — > F to functions in SX — > SY: in Remark 3.8 we called the image 
of H (or more precisely of 4> o H) the subset of pointwise maps in SX — > SY. The fact that H = G o F 
makes it clear that the pointwise maps are a subset of the global ones. 

The most relevant property of global functions is that their behaviour is determined by their values 
over constant individuals. 

Theorem 4.6 Density of rix{X) in SX. 

{!) If f,g : SX -^ SY are global and such that /(A_.x) = g(A_.x) for all x £ X, then f = g; 

{2) if f : SX — > SY is global and f{a) is an individual for all constant individuals a, then /(/3) is an 
individual for all individuals (3. 

Proof. 

. (1): if / and g are global functions which coincide over constant individuals then 

/(a, s) == /(A_.a(s),s) = .g(A_.a(s), s) ^ g{a,s). 

. (2): let /3 G SX be an individual i.e. strongly convergent; then for any w.i. sequence of states 
a there exists io G N such that for all j > io, f3{a{io)) — f3{a{j)). Since / is global, we know that 
/(/3,s) = /(A../3(s),s) for aU s e §; therefore 

f{(3,a{j)) = fiX_.(3iaij)),aij)) = /(A../3(a(*o)),<T(j)), 

for all j > io. By the hypothesis that /(a) is strongly convergent for all constant a it follows that 
/(A_./3((t(io))) is strongly convergent, so that there exists ii such that for all k > ii, 

/(A_./3K*o)),a(fc)) = /(A../3(a(»o)),a(n)). 

Then for all h > max(io, *i): 

f{l3,a{h)) = /(A../3(a(*o)),a(/i)) = /(A_./3(a(zo)), ^(*i)). 

We conclude that /(/3) is strongly convergent. 

D 

Note that V'Xi,...,Xfc(Q;i, ■ • • , afe, s) = (ai(s), • • • ,afe(s)), so that, if all a^'s are constant thenipXi,...,x^{o:ij 
is such. Strictly speaking (2) of Theorem 4.6 does not apply directly to V'- However this can be proved 
by a similar and easier argument. 
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Corollary 4.7. Each component ipx.Y '■ SXxSY — > S{XxY) of the natural transformation "ip sends 
individuals a,j3 into the strongly convergent {a,l3) = As G S.(a(s),/3(s)). The same holds of ipXi,...,Xk 

for all Xi , . . . , Xk ■ 

Proof. Given the individuals a G SX and /3 E SY and a w.i. sequence a there exist io, ii E N such 
that for all j: 

X ^ {aoa){iQ+j) = {aoa){io) and y = {/S o a){ii + j) = {/S o a){ii). 

Therefore for all i > niax(zo,*i): 

((a,/?) oa)(z) = ia{a{2)),piam = {x,y). 

The statement about tl>Xx....,Xk follows by induction. 

D 

To provide a sufficient condition for the convergence of the output of a map with k arguments, consider 
the obvious generalisation of the notion of functions with global state to the case of k-aiy functions 
/ : SXi X • • • X SXk — >■ iSy, that we call k-global if for all ai G SXi, . . . ,ak G SXk and s G §: 

/(«!,..., afe,s) = f{X_.ai{s),...,X..ak{s),s). (6) 

Lemma 4.8. // / : SXi x • ■ • x SXk -^ SY then there exists a unique f : S{Xi x • ■ • x Xk) -^ SY 
such that f ^ f o i^Xi....,Xk that is the following diagram commutes: 



SXi X • ■ • X SXk 




Moreover f is k-global if and only if f is global. 

Proof. Define / := A7 ./(tt^ o 7, . . . , tt^ 07). The first part of the lemma follows by the universal 

property of the cartesian product. Indeed we first observe that ipxi Xk is a surjcctive map: if 7 G 

S{Xi X • • • X Xk) and -Ki : Xi x ■ ■ ■ x Xk -^ Xi is the i-th projection then: 

7 = (tTi O 7, . . . , TTfe O 7) = 1pXt,....Xk (tTi O 7, . . . , TTfe O 7). 

Thus, writing a = ai, . . . ,ak and (a) — (ai, . . . , ak) we know that if / exists then: 

(/o V'Xi,...,xJ(a) = f{{a)) = f{d), 

establishing at the same time unicity and existence of /. 
Now if / is fc-global then for any s G §: 

f{\-.S{s),s) - f{7r^o{X_.S{s)),...,7rko{X_.S{s)),s) 

= f{X..iTT,0 6)is),...,X_.iTTk0S)is),s) 

= /(tti oS,...,Trko6,s) 
= .f{6,s) 
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by the fact that tt^ o {X_.S(s)) = X-.{TTi o S){s). Viceversa if / is global and s G § then: 

f{a,s) = (/oV)(a,s) 
= /((«), 5) 

= /(tti o A_.(a)(s),...,7rfe o A_.(a)(s), s) 
= /(A_.ai(s),...,A_.afc(s),s). 

D 

Corollary 4.9. // / : SXi x • • • x SXk -^ SY is k-global and it sends constant individuals to 
individuals, then it sends individuals to individuals. 

Proof. Let / be the unique global function such that f = f o 4'Xi....,Xki which exists by Lemma 
4.8: since 4'Xi,...,Xk and its inverse send constant individuals to constant individuals, / sends constant 
individuals to individuals by the hypothesis on /, so that it sends individuals to individuals by (2) of 
Theorem 4.6. By Corollary 4.7, i^Xi,...,Xk also sends individuals to individuals so that / satisfies the 
same property. D 

Remark 4.10. li f : X ^Y then by Remark 3.8 we have: 

iSf){\_.x) = \se S.f{{X_.x){s)) = X..f{x), 

that is Sf sends constants in SX into constants in SY. On the other hand Sf — {rjx ° f)* is global by 
Corollary 4.4, so that by Theorem 4.6.2, Sf sends convergent elements into convergent ones. 

Corollary 4.11. If f : Xi x ■ ■ ■ x Xk -^ Y then f^ is k-global. Moreover f^ sends (constant) 
individuals to (constant) individuals. 

Proof. The first part of the thesis is immediate by Corollary 4.4 and Lemma 4.8. The remaining part 
follows by /"^ = S{f) o tpXi,....Xnj the fact that iS(/) sends constant individuals to constant individuals 
by Remark 4.10 and that the components of the natural transformation ip send constant individuals to 
constant individuals. D 

The next lemma relates the interpretation of terms and formulas to global and fc-global functions and 
will be useful in Section 6. 

Lemma 4.12. For any variable x, term t E Ci and formula A E Ci and for any environment ^ the 
functions 

Aa e 5N.|ilf[,^„] and Xa e SN.lAjf^^^^^ 

are global. In general the functions Aa.|i||^/-i and Ao?. |A]|^,-, are k-global (for k equal to the length of 
the vectors a and x), provided that both FV(t) and FV(A) are included in x. 

Proof. By an easy induction over t and A. If t = a; then for any s G §: 

The inductive cases are immediate consequences of the inductive hypothesis. E.g. let t = 'y9p(ii, . . . ,ifc), 
then for any s G S: 

= bpl([il]|.^A..a(s)]'---'I*felf[r.^A..a(.)]'^) ^Y md. hyp. 

The rest is equally straightforward. D 
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An immediate consequence of Remark 4.10 and Corollary 4.11 is that if t and A are a term and a formula 
in the language Co respectively (hence not including any ipp nor xp symbol), then their interpretations 
|t]f e iSN and |^|f G SM arc constant, provided that each ^(x) is such. We prove now that in general 
terms and formulas of the language Ci denote strongly convergent individuals, provided that the free 
variables occurring in them are interpreted by strongly convergent individuals. 

Lemma 4.13. Forallm of the appropriate length, both Xs G §.|xp](m,s) £ SM and Xs G §.|(/3p](m, s) G 
iSN are strongly convergent. 

Proof. Consider a = As G §.|xp](to, s) G SM, and let cr be any w.i. sequence. Now either (P, m, n) ^ 
a{i) for all i, so that a o a is the constantly false function; or there exists io such that (P,m,n} G cr(io): 
then, since a is weakly increasing, (P,m, n) G a{j) and a{a{j)) = true for all j > io. 

The case of As G §.|(^p](to, s) G iSN is similar. D 

Theorem 4.14. Ift is any term and A any formula of the language Ci and ^ an environment whose 
domain includes the free variables of t and A, such that ^(x) is strongly convergent for all x, then both 
\t\f G iSN and \A\? G SM are strongly convergent. 

Proof. By induction over t and A, using Lemma 4.13 for the cases ipp{ti, . . . ,tk) and xp(^1: ■ • ■ )^fc) 
respectively, and Corollary 4.11 for the remaining inductive steps. D 

5. THE REALIZERS MONAD 

The compositional construction of the search of a state that makes true a certain formula, which we shall 
describe in Section 6, rests on the ability of merging pairs of states, even if incompatible. We give an 
abstract definition of a merge operation (g), and show that there exists one such. In fact more concrete 
and non-equivalent definitions of merge are possible, as we suggest in a remark. 

We then define a quadruple {TZ,ri^,J , 0), parametric in the merge operation (g), such that TZX = 
S{X) X S{§) is the type of pairs of an individual and a realizer (a concept defined in the next section) 
interacting each other to the extent of satisfying a formula, which is the goal of the interaction. 

The monoidal structure of the merge is lifted to the maps in 5(§), in order for to meet the requirement 
for the functor 7?, to be a monad. 

Definition 5.1 Merge. A merge is a mapping ® : S x S ^ § such that, for all si, S2 G §.' 

{!) (§, ®, ^) is a monoid; 

(2) if Si (g) 32 — -L then si — ± — S2; 

(3) Si (8)S2 C Si U S2. 

Note that in clause (3) above we cannot write si (K) S2 !^ si U S2 since si U S2 might be an inconsistent 
set, so not in §. 

Lemma 5.2. If ® is a merge then for all s, si, S2 G §.' 

[l] if s "[ si and s "[ S2 then s ^ (si ® S2); 

{2) i/ s n si = s n S2 = -L then s D (si ® S2) = -L. 

Proof. . (1): s y (si eg) S2) implies that there exists a G si (8> S2 such that s j/ {a}. Since 
si (X) S2 G si U S2, it is the case that a € Si for either « = 1 or i = 2, contradicting s t si and s t S2. 

. (2): we observe that sn(si (g)S2) C sn(siUs2) = (snsi)U(sns2), hence if (snsi)U(sns2) = ± = 
then s n (si ® S2) ~ ±. 

D 

A very simple example of "merging" consists in dropping one of the merged states. 
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Proposition 5.3. The following mapping is a merge: 

\ si if si ^ _L, 

Sl ®0S2 = { ,, ■ 

I S2 otherwise. 

Proof. It is immediate that si ®o 52 <= § for all si,S2 G S. 

For all s e S, _L (So s = s. If s = ± then s ®o -L = -L = s. On the other hand if s 7^ ± then s ®o -L 
hence ± is the unit of (S)o- 
Let si — ±, then 

Else, if si 7^ _L then 



(Sl (8)0 S2) ®0 S3 = 32 ®0 S3 = Si (g)0 (S2 ®0 S3). 



(si 00 S2) ®o S3 = Si (g)o S3 = Si = Si ®o (s2 (8)0 S3). 
Therefore (1) of Definition 5.1 holds. 

If si y^ _L then si (80 S2 = si 7^ ±; similarly if si = _L and S2 y^ -L then si (80 S2 = S2 7^ -L, so that 
condition (2) of Definition 5.1 follows by contraposition. 

Finally si (E)o S2 = Si for either i = 1,2, hence (3) of Definition 5.1 is satisfied. D 

Remark 5.4. The map 00 is essentially a selector of non ±-states, with a bias toward its first argu- 
ment: it considers the second argument just in case the first one is not informative at all. In particular it 
is not commutative, while it is clearly idempotent: s <Sios — s. It is a very simple, thought crude example 
of merge. Beside it and its symmetric si (Sq S2 := S2 (So si, there exist other examples of merge that one 
could consider. We mention two of them omitting proofs. 

— A "parallel" non-commutative merge. Define s — {{P,rn,n) \ Eln'.(P, m,n') G s}, and set 

si (8)1 S2 := si U (s2 \si). 

This merge saves all of the information in S2 which is consistent with si, while in case of inconsistency, 
the elements of si prevail: hence it is not commutative, and its symmetric is a different merge. This is 
the merge operation used in [Aschieri and Berardi 2009]. 

— A "parallel" commutative merge. For any X C [JS define X := {{P,rh,n) G X \ V(P,m,n') G X.n < 
n'}. Then we set: 

Si (8>2 S2 := si U S2. 

The effect of X is, for all predicate P and vector of numbers m, to select, among all possibly inconsistent 
tuples (P, TO, rii), (P, TO, 712), ... in X, the tuple (P, to, n^), where Ui is the minimum among ni, n2, ■ ■ ■■ 
It follows that X is always consistent and, if X C § is finite, then it is an element of S. Moreover 

X C X and X = X, hence it is an interior operator. The remarkable property of (82 is commutativity. 
This merge appears in [Berardi 2005]. 

We observe that (80, 811 and 8)2 are all computable functions. 

Since a merge is a function in 81 : §xS ^' § it can be pointwise lifted to the mapping 8>'^ = S{ 8i)o'0s,s • 
S{S) X 5(§) -^ 5(§), where (r 8)*^ (''')(s) = ''(s) 8> r'{s). By means of (S)^ we may define a new monad: 

Definition 5.5 The Realizer Monad. Let (g) be a merge. Then we say that the tuple {TZ, rj^ , _* , 8)) 
is a realizer monad if: 

nX = S{X) X <S(§) where X G | Set|, 

rixix) ^ {Vx{x),4{^)) forxeX, 

.f*'^ia,r) = {ff{a),r 8)'^ ff (a)) forf-.X^TZYe Set and (a,r) G UX , 
where fi ^ iTi o f ^ for i — 1,2. 
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Below we write j] and •* for rj^ ,■* respectively, to simplify the notation, while keeping rf^ , ■* to distin- 
guish the unit and the extension map of the monad 7?.. 

The set TZX — S{X) x 5(8) is larger than its part of interest: as shown in Section 4, the relevant part 
of S{X) is the set of individuals; on the other hand, as we shall see in the next section, we concentrate on 
realizers which are individuals in <S(S) satisfying some further conditions. So that there is a slight abuse 
of terminology. However the monad provides an elegant way of pairing individuals and transformations 
over the states, which is at the basis of the forcing relation and the realizability interpretation we shall 
meet in Section 6. 

A realizer monad is built on top of the state monad (5, i]^ , ■* ), and it is parametric in the merge (E). 
By definition unfolding we have: 

TZX = {§ ^ X) X {§ ^ §), ryf (x) = (A_.x, A.._L), 

and 

r ®^ /a (a) = As G §. r{s) ® /2(a(s), s). 

To better understand the definition of /* observe that the function 

/ : X ^ [(§ ^ y) X (§ ^ §)] 

is identified with the pair (/i, /2) (as they are the same in any cartesian category), so that: 

/i:X^(§^y) and /a : X ^ (§ ^ §), 

and therefore 

/* : (§^X)^(§^y) and /* : (§ ^ X) ^ (§ ^ §). 

Of these the component /j* is intended to associate individuals over X to individuals over Y] the second 
and more relevant component /| formalises how functions over §, in particular realizers, can depend 
on individuals. In particular the importance of merging of r with /| {a) as the second component of 
/* (a,r) will be discussed in Remark 5.8. 

Lemma 5.6. If (^ is a merge, then {S{S), ®'^,A L) is a monoid. 

Proof. Observe that, by Remark 3.8 and the definition of V', (r (8)'^r')(s) = r{s) Cg)r'(s) for all s G §, so 

that the fact that (8) is a monoidal operation over § with unit _L immediately implies that (5(S), Cg)"^, A L) 

is a monoid: for example (r (g)"^ A L)(s) = r{s) (g) _L = r{s) for all s, so that r (g)*^ A L = r. D 

Theorem 5.7. If {TZ,rf^, -* , (E)) is a realizer monad then (TZ,ri^,-* ) is a Kleisli triple, and hence 
a monad. 

Proof. By checking that (TZ,ri^,J ) satisfies the three equations of Definition 3.4, and using the 
fact that, by Lemma 5.6, if eg) is a merge then (g) is a monoidal operation over S{E>) with unit A L. 

• /* ° Vx ~ /' that is the following diagram commutes: 




/* 



r) X (§ ^ §) 



Given a; G X wc have: 

{f*^or^^){x) = .r"(A..x, A_.±) = (/*(A_.x),A..± ®^ .fUX-x)) = {f*{X..x), f;{X_.x)), 
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since A_.± is the unit of (g)^ . But for all s e §, fl{X_.x, s) — fi{x), and /|(A_.x, s) = f2{x), and therefore 
we get: 

(/*'' o^f )(^) = iM^),.f2ix)) - (/l,/2)(:r) ^ /(x). 

• (Vy)* — ^'^TiY- By definition riy = {tjy, A_ G Y. rjsi-L)), where for any a £ SY we have: 

(A_e r.r/s(±))*(a) = As e §.(A..±)(s) = A_.± 

Now for all r : § — > § we have: 

ivfr"ia,r) = ((r,y)*(a),r ®^ A..±) - (a,r), 

by the fact that (77^)* = Id^y (Proposition 3.7) and that A L is the unit of (E)'^ . 

■ g*"^ o f*"^ = (.9*^^ o Z)*'^, where g -.Y ^ TZZ: let again / = (/i, /2) and 5 = (51,52); given a : § ^ X 
and r :§—>§, by definition unfolding we have: 

(.9*"or")(a,r) = .9*"(/r(«),^ ®^ /!(«)) 

= ((5i ° /r)(«), (r ®^ .f;{a)) (g>^ (.92* o /r)(a)) 

TZ TZ 

On the other hand let h = g* o / = (/^i, ^^2)7 where hi — iTi o g* of. Then 

ig*" of)*"{a,r)^{hl{a),r(^''hUa)). 

Now: 

/ii(a) = Ase§.(7ri0 5* o/)(a(s),s) 

= Ase§.^i((g*"o/)(a(s)))(s) 

= As e S.^i(5*"(/i(a(s)),/2(a(s))))(s) 

= Ase§.(gi*(/i(a(s))))(s) 

= \seS.{glof,){a{s),s) 

= (5i*°/i)*(«). 
Similarly we have: 

h*{a) = Ase§.(7r2 5*'^ o/)(a(s),s) 
= A,se§.7r2((g*"o/)(a(s)))(s) 
= As e § ./2(«(5)) ^-^ (52* ° /i)(«(s))(s) 
= /2*(a) 'X''^ (52* ° /i)*(a) by claim (7) below, 

where 

(/*(a) ®^ g*{a)){s) ^ (/(a(s)) ^-^ 5(«(5)))(s) (7) 

is easily checked by definition unfolding. Summing up: 

(5*" o/)*"(c.,r) = ((5* o/i)*(a),r C^-^ (/2*(a) ®^ (52 ° /i)*(«))), 

and we conclude by noting that [g^ 0/1)* — gl ° fi, (52 ° /i)* = 52 ° /i since _* is the extension of a 
Kleisli triple by Proposition 3.7, and because (S>'^ is associative. 

D 

Remark 5.8. In any ccc it is the case that 

{Z ^ X)x (Z ^Y) c^Z ^ {X xY) 
is a natural isomorphism, given by (/, 5) i-> {f,g)- Therefore 

Tex = (§ ^ X) X (§ ^ §) ~ § ^ (X X §), 
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which is equal to S{X x S). {TZ, ri^,_* ) is similar to the side effect monad {£,7]^ ,_* ) in [Moggi 1991]: 

£X = S^{X xS) 

?7|(x) = Xs e S.{x,s) = {Tjx{x),lds) 

r\l) = \seS. /((^i o7)(s),(7r2 o7)(s)) 

where S is some set of states, f : X ^ {S ^ {Y x S)) and j : S ^ {X x S). In case of 5 = § we have 
that if {a,r) is a pair of a convergent mappings, then (a,r) : 5* — ^ {X x S) is such (see Corollary 4.7): 
therefore the isomorphism TZX ~ S{X x §) preserves convergence. 

The computational idea behind £ and TZ is however different. In the case of the side effects monad the 
function /* {'j){s), where 7 — (71,72), first evaluates 71 in the state s, possibly leading to a new state 
s' = 72(5), intuitively because of side effects in the evaluation of 71 (s); then /(7i(s)) : S ^^ (Y x S) is 
evaluated in the new state s' . This is necessarily a sequential process. 

In the case of the realizer monad the function /* (a, r) ~ {fl{a),r ®^ fii'^)) ^^^^ computes a new 
dynamic object /j*(a), then forces it to satisfy some property using the realizer /Ka) merged with the 
realizer r, that is supposed to satisfy some other (possibly different) property. The reason is that the 
search procedure represented by /2 (a) might change the state reached by some previous attempt by r 
to force a into its own goal, destroying the work by r. Hence both f2{<^) and r have to be kept while 
evaluating the realizer obtained by their merge, and cannot be sequentialized. 

6. INTERACTIVE REALIZERS 

This section introduces the central concepts of interactive realizer and of interactive forcing, which are 
the main contribution of our work. Realizers have been introduced by Kleene as an interpretation of 
Brouwer's and Heyting's concept of construction. In the case of constructive theories a realizer is a direct 
computation, possibly depending on some parameters. With a non constructive theory like PRA + EMi 
the saving of such an idea involves the shift from recursiveness to recursiveness in the limit. In this 
perspective a realizer is not an algorithm (a recursive function) , rather it is the recursive generator of a 
search procedure that, along a series of attempts and failures, eventually attains its goal. 

Definition 6.1 Interactive Realizers. An interactive realizer is a map r e 5(S) = S ^ S, such 
that: 

(1) r is strongly convergent; 

(2) r is compatible with its arguments that is: r{s) t s for all s G §; 

(3) r{s)ns = ± for alls £ §. 

A state s lE § is a prefix point of r : S ^ § if r{s) \— s; by Prefix (r) we denote the set of prefix points of 
r. 

Remark 6.2. By clause (1) above the realizers are individuals over S. Note that identity over § is not 
convergent, and so it is not a realizer. Compatibility condition (2) is essential, together with convergence, 

for the existence of pre-fixed points: see Proposition 6.3 below. The function A L is a (trivial) realizer 

and, because of clause (3), the only one among constant individuals. 

By clause (3), if r is a realizer we have that s S Prefix (r) if and only if r{s) — _L, because r{s) C s 
implies r{s) n s = _L. Namely Prefix (s) is the set of "roots" of r. This clause is just intended to simplify 
the treatment of realizers, in the sense that if r is a realizer, then r{s) just adds "new" atoms to s; hence 
if r{s) C s this means that there is actually nothing to add. 

Proposition 6.3 Cofinality of Realizers Prefix Points. If r : § ^ § is a realizer, then for 
all s E § there is s' G Prefix (r) such that s C s' , namely Prefix{r) is cofinal in § (in particular it is non 
empty). 
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Proof. Given s e § define the mapping cr : N —> S by a(0) :— s and a{i + 1) :— a{i) U r{a{i)), which 
exists because of the compatibility of r with its argument. By construction cr is a w.i. sequence, hence 
by the convergence of r, r o cr has a Umit (7{io) for some io, that is r(cr(zo)) = r{a{io + 1)). Then 

cr{io + 1) = cr{io) U r{cr{io)) = cr(zo) U r(cr(zo + 1)), 

which imphes r(cr(io + 1)) !^ (y{io + 1); clearly s = cr(0) C cr(zo + 1) G Prefix(r). D 

Remark 6.4. The proof of Proposition 6.3 describes a computation that, given an arbitrary Sq, pro- 
duces the w.i. sequence cr(0) = so,cr(l) = r(so) U so,cr(2) = r(r(so) U sq) U r(so) U sq, • • ■ until a prefix 
point cr(n) is found. Each time the sequence strictly increases, it is because r(cr(i)) y^ ±, that intuitively 
means that the realizer r has something to add to cr(?) to reach its own goal, abstractly constituted by 
the set of prefix points of r. This search procedure, which is recursive in r, is monotonic as the knowledge 
grows, but this happens because only positive information is stored in the state. As a matter of fact the 
growth of the sequence generated by r might redefine the values of some xp and (fp occurring in a formula 
A, which is the actual goal of r when it is a realizer of A: this is an implicit backtracking (more precisely 
1-backtracking: see [Berardi et al. 2005]), in the sense that we are retracting previous definitions of these 
symbols, and in particular of the Skolem functions ipp, until A becomes true. 

After some i has been found such that r(cr(i)) — _L, the whole construction stops. However nothing 
prevents that, later, new atoms might be added to cr(i), producing some s' Zl a(i) not in Prefix{r). Now 
the cofinality of Prefix (r) in § implies that we can resume the search at s' and that it will eventually 
succeed in finding some other s" Zl s' which is in Prefix (r). 

The reaching of a goal is represented by finding a prefix point of the relative realizer. The next 
proposition says that the prefix points of a merge are exactly the prefix points common to both the 
merged realizers. 

Proposition 6.5. Suppose that (S^ is a merge: then for any pair of realizers r,r' , r (g) r' is a realizer. 
Moreover: 

Prefix {r ® t') — Prefix (r) D Prefix {r'). 

Proof. In view of the definition CS)*^ ~ S{'^) o ■(/'§,§, we know that r (g)*^ r' is strongly convergent by 
Corollary 4.7 and Remark 4.10, since r and r' are such. 

For any s G S we know that s t r{s) and s t r'(s); now (r ®^ ^')(-') ^ ''('*) ® '''(*) fo^' all s e § and we 
conclude that s t {r{s) (8) r'{s)) by (1) of Lemma 5.2. 

By (1) of Definition 6.1, r{s) D s ~ J. ~ r'{s) D s; by (2) of Lemma 5.2 this implies: 

(r (g)'^ r'){s) n s = {r{s) ® r' {s)) Pi s = ±. 

This concludes the proof that r •S^'^ r' is a realizer. 

This last fact implies that Prefix(r ®^ r') = {s e § | r(s) ® r'{s) = _L}: by (2) of Definition 5.1 
we know that r{s) ® r'{s) — 1. implies both r{s) = 1. and r'{s) — J-, namely that Prefix{r ®'^ r') C 
Prefix (r) D Prefix {r'). 

Viceversa, if s G Prefix (r) f) Prefix {r') then r(s) = ± = r'(s), so that, by ± ^ = -L, we have that 
r{s) (g) r'{s) = _L, that is s e Prefix{r ®^ r'). D 

We now relate formally interactive realizers to formulas of Ci. First we define an abstract relation 
between realizers and families of sets indexed over § which we call interactive forcing. 

Definition 6.6 Interactive Forcing. Let r be a realizer, a e SX and Y = {Yg | s G S} a family 
of subsets of X indexed over §. Then r interactively forces a into Y , written r \\- a : Y , if for all 
s € Prefix {r) it is the case that a{s) G Kj. 

Let us now consider the formulas. In the standard model the semantics of a formula A with (free) 
variables included into x = xi, . . . ,Xfe is a fc-ary relation over N, which is the extension of the formula. 
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In our model the extension of A is the §-indexed family of sets ext{A) :~ {ext{A)s | s G S} where: 
ext{A)s := {m \ FV{A) Cx k \x\ ^ \m\ k |AF^~> (s) = true}. 



Here rh = mi, . . . ,mk is a fc-ple of natural numbers, \m\ = \x\ = k, and [X-.m/x] ~ [A_.TOi/a;i, . . . , 
A_ .TOfe/xfe] is the environment associating A_ .rtii to xi for each i. We now define the forcing of A in terms 
of the extension of A. 

Definition 6.7 Interactive Forcing of a Formula. Let r be a realizer, A e Ci with FY (A) C 
X — xi,. . . ,Xk, and a ~ ai, . . . ,ak G 5N. Then we say that r interactively forces a into A, written 
r Ih Q? : A(x), if r Ih (ai, . . . , ak) '■ ext{A). 

To each formula A E Ci Definition 6.7 associates the relation {(r, a) \ r \\- a : A(x)} C S{§) x iS(N'') ~ 
7?.(N''), where k is the length of a and x, making apparent the connection between forcing and the realizer 
monad TZ. 

In view of Proposition 6.5 and of Remark 6.4, the intuitive idea of the forcing relation r Ih a : A{x) 
is that, whenever the variables x including all the free variables of A are interpreted by the individuals 
a, the sequence generated by r out of an arbitrary sq will eventually reach (in a finite number of steps) 
some state s £ Prefix (r) making true that d{s) e ext{A)s. This is however a subtly complex task: the 
action of r is to direct a into ext(A) by extending the given state; but we must keep in mind that such a 
search aiming at the target ext{A)s for some s, moves the target itself as a side effect. Note also that: 

(ai, . . . ,afe)(s) = (ai(s), . . . ,afe(s)) e ext{A), ^ l^l^^^;^^ / g^i^) = Ulfs/^s) = true. 

By the fact that we do not ask that the free variables of A are exactly x, but only included among 
them, the sets ext{A)g contain tuples of different length (thought there is a minimum length which is the 
cardinality of FY (A)), which implies that if r Ih a : A{x) then r \h a, f3 : A{x, y) for all vectors y and /? 
such that \y\ = |/3|. 

Toward the proof of the claim that any theorem of PRA + EMi is interactively realizable, we begin 
with the logical and arithmetic axioms. Together we consider also the (<y9)-axioms, since in all these cases 
the realizer turns out to be the trivial one. 

Lemma 6.8 Logical, Arithmetic or ((/?)-Axioms. If A is either a non logical axiom o/PRA, or 
an axiom of IPC, or an instance of the {ip)-axiom, then A L \\- a : A. 

Proof. It follows by Proposition 3.17, since A L is a realizer and Prefix{\ L) = S. D 

Now we come to the study of the (x)-axioms. For any k + 1-ary primitive recursive predicate P (we 
abuse notation below, writing ambiguously P for the symbol and for its standard interpretation) let us 
define rp : W'+^ x § ^ § as follows: 

{{(P, m, n)} if P(m, n) and Vn'.(P, m, n') ^ s 

Lemma 6.9. For all m,ri G N, As G §. rp{fn,n,s) is a realizer. 

Proof. That rp{fn,n,s) n s = _L for any s G § is immediate by definition. It remains to prove that 
As G S. rp{fn,n,s) is strongly convergent and consistent with its arguments. 

Let a be any w.i. sequence. If -< P(m, n) then rp(m, n, ^{i)) = _L for all i. Suppose instead that P(m, n) 
is true. If (P,m,n') ^ a{i) for all n' and i, then rp{rfi,n,a{i)) — {(P,m,ri)} for all i; otherwise there 
exist i and n' such that for all j > i, (P, to, n') G cr(j), as a is weakly increasing. Then rp(m, n, cr(j)) = -L 
for all j > i. 

If rp(m, n, s) — {(P, m, n)} then P(m, n) is true so that {(P, to, n)} G S. Moreover (P, to, n') ^ s for all 
n' G N, hence {(P, to, n)} t s. If instead rp(TO, n,s) = 1. then the thesis holds trivially since ± t ■*• D 
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Recall that rp—rpO ipjqk+i , so that for any d,/3 ^ SN we have: 

r^{d,l3) = As e §.rp(a(s),/3(s),s). 

The next lemma states that, under the condition that a, (3 are individuals (that is strongly convergent) 
rp(a, /?) is a realizer of the (x)-axiom instance relative to P. 



Lemma 6.10 x-Axiom. // P is a k + 1-ary primitive recursive predicate, and a, l3 E SN are strongly 
convergent then rp{d,/3) is a realizer, and it is such that: 

r^{a,l3)ha,l3:P{x,y)^Xpix). 

Proof. By definition, rp (a, /?, s) = rp(a(s), /3{s), s), so that it is consistent with s and the intersection 
Tp (a, f3,s) O s — 1. because rp(m, n,s) D s = -L for all m, n. Since r'p is global by Corollary 4.4, we know 
that rp is k + 1-global by Lemma 4.8. Now 



Tp (A_ .m, X_.n, s) ~ rp(m, n, s), 

and the latter is an individual by Lemma 6.9. It follows that rp{d,l3) is an individual if d and /? are 
such, by Corollary 4.9. We conclude that rp{d, /3) is a realizer. 

If s € Prefix {rp{d,/3)) then rp(a(s), /3(s), s) = _L. It follows that either ^P(q?(s),/3(s)) or {P,d{s),n) e 
s for some n G N (not necessarily equal to I3{s)): this implies that |xp]k 8/3y]i^) — [xp]('5(s), s) — true. 
In both cases we have lP{x,y) -> Xpi^)]fs.i3/x.y](^) = ^^^^^ ^^^^ ^'^ ct{s),l3{s) e ext{P{x,y) -> xp(^))s- 

D 

Remark 6.11. By reading Lemma 6.10 together with Remark 6.4 we see one reason for naming 
"interactive realizer" the map r = rp{d,/3). In fact we have seen that each time the sequence generated 
by r strictly increases it is because r{a{i)) ^ _L, and this happens whenever P{d{(7{i)), /3{a{i))) holds 
but {P,d{cr{i)),n) ^ cr{i) for any n G N. In such a case the next state in the sequence is a(i + 1) = 
r(cr(i)) U a{i) = {(P, d{a{i)), f3{a{i)))} U a{i) so that the newly found tuple (P, d{cr{i)), (3{a{i))) is added 
to cr(i). In particular if a prefix point of r is reached, that is r{s) = _L, no more information is needed to 
make the realized formula true w.r.t. such a state. 

If we further consider the implication P{x,y) -^ P{x,(pp{x)), which follows in PRA + EMi by the 
(93)-axiom and the (x)-axiom, we see that whenever 

|P(f,y) ^ P(x,^p(x))lf-^/-^](s) = false, 

the tuple (P, d{s), f3{s)) is the witness of the fact that the implication fails at s = a{i). This is used at the 
next step in the attempt to make it true at s' — r(s)Us, by means of the fact that |(/?p(a;)J|^,-, (s') = (3{s). 
By this we see how the counterexample to the implication at a previous stage is used to redefine the value 
of the Skolem function ipp in the point a(s'), which is the result of the interaction between the realizer r 
and the "nature" , that is the standard model. 

However it is not necessarily the case that a(s') = a(s), which implies that the value of |P(a;, y) -^ 
P{x,(pp{x))Jfgo,^ As') could still be false. It is here that the hypothesis that the d? are convergent is 
crucial, since s Q s' and in general the value of c? o cr is eventually constant. 

According to our interpretation, logical rules are realized by the merging of the realizers of the premises. 
Let us first consider the case of modus poncns. 

Lemma 6.12 Modus Ponens Rule. Ifr\\-d:A and r' \\- d : A ^ B then r ^"^ r' Ih a : B. 

Proof. Let d = ai, . . . ,ak: then ext{A -^ B)s, ext{A)s and ext{B)s are subsets of the universe N'', so 
that in particular we can take the complement ext{A)s — N'^ \ ext{A)s- Then let us observe that for all 

sgS: 



ext{A -^ B)s = ext{A)s U ext{B)s 
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By Proposition 6.5 we know that r CS)*^ r' is a realizer such that Prefix{r ®^ r') = Prefix{r) D Prefix{r'). 
Therefore, by the hypotheses, if s G Prefix {r ®^ r') then 



a{s) e ext{A)s n ext{A^ B)^ == ext{A)a n {ext{A)s U ext{B)s) ^ ext{A)s n ext{B)s, 
hence a{s) G ext(B)s as desired. D 

Remark 6.13. In Remark 6.11 we have stressed that even in the case of the (x)-axiom the reahzer 
might reach its prefix point in several steps, and after several tests against the standard model of arith- 
metic: this is a first form of interaction. The case of modus ponens rule MP, as well as the more complex 
one of IND treated below, illustrates a second form of interaction between two or more realizers. While 
searching a prefix point of r (g)'^ r' the given realizers r and r' do not necessarily move to the same states, 
not even to compatible ones. The realizer r (g) r' let r and r' to dialogue via the state by merging of 
the respective sequences they generate. This process depends on the choice of the merge: with ®f , for 
example, it is a rigid interleaving of the searches generated by r and r', giving precedence to r, while 
with (g)f and (8)f the resulting sequence is generated by parallel process. 

We observe that the merging of realizers is the meaning of any inference rule with more than one 
premise. 

Recall the convention that the writing A{x) means that x might occur free in A, and A{t) is informal 
for the substitution A[t/x] of t for x in A. 

Lemma 6.14 Substitution Rule, //r Ih a, /3 : A{x,y) for all convergent d,j3, then for any i G £i 
such that FV(i) C f, r Ih a, /3 : A{x,t). 

Proof. By the hypothesis and the fact that |i||^,_j, is convergent by Theorem 4.14, we have that 

r Ih Q?, |t]|^,j, : j4(x, y), where we note that the environment \a./x\ is not defined over y, which however 
does not occur in t. By Lemma 3.16 

so that r Ih Q? : A(x, t) and, since y ^ FV(j4(x, t)), also r Ih a, /3 : A(x, t). D 

Lemma 6.15 Induction Rule. Suppose that for all convergent a and (3: 

r{d) Ih d : A{x, 0) and r {a, j3) Ih a, /3 : A(x, y) — > A{x, succ(j/)). 

For all a let f{d) : N — > iS(S) be defined by (primitive) recursion: f{d,0) — X L and f{d,n + 1) = 

f{d,n) ®^ r'{d, X_.n). Then for all convergent d and /3, f(d)*(/3) is a realizer and: 



>,5 



(/(d)*(/3))lha,/?:A(x,2/). 



Proof. To simplify the notation, we fix the vector d and write just r for r(d), r' {j3) for r' {d, j3), f{n) 
for f{d,n) and hence /*(/3) for f{d)*{f3). 

First we have to check that f*{f3) is a realizer. Note that for any n G N we have /*(A_ .n) — r'(A_ .0) (E)'^ 

■ ■ ■ (g)'^r'(A_ .n— 1) (or just A L when n = 0), which is a realizer by Proposition 6.5. The function f*{j3) is 

global (or fc-global to take the a into account) by Corollary 4.4 and, as we have just seen, it sends constant 
individuals into realizers which are individuals of §: hence /*(/3) is an individual for any individual /3 by 
(2) of Theorem 4.6. The remaining conditions (2) and (3) of Definition 6.1 are immediately seen to hold 
by observing that for ah s G §, /*(/?, s) =r'(A_.0, s) ® ••• (g) r'(A_./3(s) - l,s). 

In order to prove the thesis, we establish by induction over n that: 

VnGN. r ®^ f*{\..n) lha,A_.n : A{x,y). (8) 

For the base case we have r ®'^ /*(A- .0) = r ®^ A L — r, and we know that r Ih d? : A{x^ 0), which 

implies r Ih o?, A_ .0 : A(x, 0) vacuously as y ^ FV(A). 
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For the step case we have r (g)'^ f*{\_.n + 1) ~ r ®^ f*(X_.n) (g)^ r'(A_.ri), but: 

r'(A_ .n) Ih a, A_ .n : A{x, y) — > A{x, succ(j/)) by the hypothesis of the lemma, and 

r ® /*(A_.ri) Ih d, X_.n : A{x, y) by induction hypothesis. 

We then obtain that r (X)*^ f*{\_.n + 1) Ih d,X_.n : A{x , succ{y)) , by Lemma 6.12. By the Substitution 
Lemma 3.16, |A(a:;, succ(y))]]^^^_ „/- ^j = lMx,y)]fs,x..n+i/x,y]^ a,nd therefore we conclude that r (g,^ 
/*(A_.n + l) Iha, A_.n + 1 : A(x,y). 
Now for any f3 E SN and s G §: 

(r CS-^ /*(/3))(s) = r(5) ® /*(/?, s) == r(s) ® /*(A. ./3(s), s), 

because /* is global, and r (g)^ /*(A_./3(s)) Ih a, A_./3(s) : A{x,y) by (8) above since /3(s) G N. It follows 
that if s e Prefix {r (g)^ J* {(3)) then 

(r ^-s /*(/3))(s) = ± = (r ^-^ r(A../3(s)))(s), 

so that s e Prefix{r (g)"^ /*(A_./3(s))). This implies that 

lMx^y)l[3,0/S,y]i^) - I^(^>2/)]f5,A../3(«)My](5) -true, 

by Lemma 4.12. D 

Remark 6.16. The point of the the proof of Lemma 6.15 is the use of Density Theorem 4.6. In fact 
the interpretation of induction via primitive recursion implies that we are proving some statement about 
numbers in N and that we are able to compute with them, while the realizability interpretation deals 
with individuals in iSN. The import of density is that, given that the interpretation of formulas is a global 
function of the individuals interpreting their variables, everything lifts uniformly from N to 5N. 

Theorem 6.17 Interactive Realizability Theorem. Suppose that PRA + EMi h A, for some 
A Cz Ci with FV(^) C X = xi, . . . ,Xk. Then for all a — ai, . . . ,ak of individuals in SN there exists a 
realizer r{d) which is recursive in d, such that r{d) \\- d : A. Moreover the form of r{d) depends on the 
proof of A m PRA + EMi . 

Proof. The existence of r(d) follows by the lemmas 6.8, 6.10, 6.12, 6.14 and 6.15, and by the remark 
that (possibly after renaming) the length A: of a; and d can be taken to be large enough to include all 
variables occurring in the proof. That r is a recursive functional of d follows by the fact that all realizers 
constructed in the lemmas above are A-definablc. Finally that r(d) (and hence r itself) actually reflects 
the structure of the proof of A is clear by construction. 



D 



-> 



By choosing as the convergent d the vector of constant individuals A_ .m one can use the realizer 
associated to the proof of a PRA + EMi theorem to compute the witness ipp(t ) of A{(pp(t )) in the 
standard input to: the general case of convergent d is however needed in the proof of the theorem and 
for the compositionality of its construction. 

The computational content of the proof, which we identify with the realizer, is however trivial in case 
no instance of the (x)-axiom occurs in it. 

Corollary 6.18. //PRA+ (ip) h A for A e Ci, then the realizer r{d) of Theorem 6.17 is just A_.±. 
Hence |A]?(s) = true for all environment £, and state s. 

Proof. By inspection of the lemmas used in the proof of the theorem, the realizer r{d) is a composition 
of the realizers used in the axioms by the operator (g)"^: this is immediate in all cases but for induction 
rule (Lemma 6.15), which is however easily checked by induction over N, and then lifted to tSN by the 
very same argument we used in the proof of the lemma. But in case the proof of A does not use any 
instance of the (x)-axiom, they are all A L, which is the unit of (E)'^ . 
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Now the second part of the thesis follows by Theorem 6.17, and by remembering that Prefix (X L) = 

§. D 

7. RELATED WORKS 

The spectrum of research ideas that have been influential on our work and of those that, even a posteriori, 
reveal to be connected to our results is too wide to be exhaustively treated. Therefore we limit ourself 
to a sketch of the approaches we feel closer to ours, either because we are building over them, or because 
we want to underline similarities and differences. 

Coquand's game semantics of classical arithm,etic. A primary source of the present research is Co- 
quand's semantics of evidence for classical arithmetic [Coquand 1991]. Non constructive principles like 
excluded middle are treated there by means of backtracking and learning, and rely on the fact that in each 
play only a finite amount of information about them is actually needed. The concept of 1-backtracking 
games appearing in [Berardi et al. 2005], which can be seen as a restricted form of games in [Coquand 
1991] but with plays of possibly infinite length, is closely related to the present work. Given a game G, 
the 1-backtracking game bck(G) allows the player to come back to some previous move in a play, by 
undoing and forgetting all the intermediate moves made by either players. In this modified game the 
player does not loose if a loosing position is reached, rather the player looses only if forced to backtrack 
to the same position infinitely many times. This backtracking procedure, in which a player's strategy 
over bck(G) consists, can be interpreted as a learning procedure, in the sense that the player learns from 
her own trials and errors, and is allowed to follow a different path in a tree of plays using the experience 
made so far. A winning strategy over bck(G) is effective, and the truth of any PRA + EMi theorem can 
be learned in this way: this is not true, however, if non constructive principles are admitted of logical 
complexity which is higher than EMi. 

We might interpret our construction as an implementation of the same idea. This has been explained in 
the text, and especially in the remarks of Section 6. With respect to [Berardi et al. 2005] we provide the 
needed machinery, together with a language, to denote learning strategies which is tailored for extracting 
them out of proofs. 

Gold's theory of learning in the limit. The concept of dynamic individuals comes from Gold's theory of 
learning in the limit, exposed in [Gold 1965; 1967]. A fc-ary numerical function / is computable in the limit 
if there exists a recursive (total) fc + 1-function g such that for all rn ^W^ the sequence ^(m, Q),g{rn, 1), . . . 
is eventually constant and equal to f{fri), i.e. /(to) — lim„£Ng(TO,n). Then (/ is a guessing function for 
/, that makes the values of / learnable. This is equivalent to say that /(to) is an individual in our sense. 
Viceversa the functions (pp(m) and the predicates xpI"^) ^-re computable in the limit (with the {k + l)-th 
argument in §, but note that states are concrete and finite objects, hence encodablc into N) by their 
guessing functions |(pp] and |xp] (see Definition 3.2 above), with the minor difference that we take the 
limit w.r.t. w.i. sequences over § (but note that states are concrete and finite objects and that S is a 
decidable set, hence encodable into a decidable subset of N). More importantly, the ordering of § is state 
extension rather than the arbitrary ordering of (code) numbers. Moreover infinitely many incompatible 
w.i. sequences exist in S, hence the limit of an individual depends on the choice of the sequence, in 
general. 

The e- substitution method. This is a method to eliminate quantifiers, by replacing them with e-tcrms, 
which has been introduced in [Hilbert and Bernays 1970] (but see the exposition and improvement of 
the method in [Mints 1996]). It consists in the introduction of the new term ex A for each formula A{x)^ 
whose meaning is: "the least x such that A(a;)", that makes quantifiers definable by adding the new 
axioms (called critical formulas): A{t) — ^ A{exA). Any classical proof of arithmetic can be transformed 
into a proof without quantifiers and using as axioms a finite set of critical formulas instead; now Hilbert 
suggested and Ackermann proved that one can effectively find a solving substitution S of e-terms by 
numerals validating all the formulas in the proof (for which it suffices to validate the critical formulas). 
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This is achieved by arranging a sequence So, Si,... of substitutions such that Sq is the identicaUy 
substitution, and Si+i is obtained from Si as follows: choose an axiom A{t) — > A{exA) in the proof such 
that Si{A{t)) = true and Si{A{exA)) — false if any (in the negative case S — Si and we are done). Then 
put Si+i{exA) = the least n < Si{t) such that A{n). 

This is strikingly similar to the action of the realizers of the (x)-axioms, for which we refer to Remark 
6.11. But this also reveals a key difference with our construction: in fact to avoid circularities, after 
redefining the value of exA one has to reset to the values of all the e-terms of greater rank than 
ex A (a measure of the nesting of e-tcrms) . This indiscriminate form of backtracking, which is not very 
different from blind search, is the consequence of the limited use of information from the the proof in 
the e-substitution method, that contributes only to determine the set of critical formulas that have to 
be satisfied. On the contrary the compositional nature of our realizability interpretation allows for an 
essential use of the proof structure, so that the nature and efficiency of the resulting algorithm strictly 
depends on the the proof itself, often embodying clever computational ideas. 

Friedman A-translation. Friedman's famous result in [Friedman 1978] is an extension of Godcl proof of 
conservativity of PA over HA for Ilj-statements, which is suitable for program extraction from classical 
proofs. As such, it has been developed into a system to synthesise programs from classically provable 
nj-statements, or equivalently Ej-formulas possibly with parameters: see e.g. [Berger et al. 2002] and 
the MINLOG project. The extraction process runs as follows: given a classical proof p of the arithmetic 
formula A = 3y P{x, y), with P quantifier free (or equivalently primitive recursive) it is translated into a 
proof p' in minimal arithmetic MA (i.e. HA without the axiom schema -L — > B), of the formula A^^, 
which is obtained from A by double negation of atomic subformulas and interpreting V, 3 by -■ A -■ and 
-iV-i respectively. The translation is possible because, under such interpretation, the excluded middle 
law is trivially derivable, and in fact it is an instance of the identity rule. Since -iB = _B ^^ _L, we have 
A^^ — Vy(P(x, y) ^ ±) ^ ±. On the other hand by the absence of the ex-falso quodlibet law from MA, 
_L can be replaced by an arbitrary formula, so that in particular we have a proof p" ~ p'[A/JJ\ of the 
formula A[A/±] = \/y{P{x,y) — > A) — > A. Now p" is a constructive proof, and j4[A/_L] is constructively 
equivalent to A: hence we extract a program (a A-tcrm) from p" realizing Ely P(x, y) which, for any x, 
actually computes a y s.t. P(x, y). 

Apparently Friedman's interpretation bears no relation with our construction. However, if we consider 
only proofs of A in EMi and analyse the reduction paths from p" we see that it computes the witness in 
a way conceptually similar to ours. For any term t Up" includes a subproof q = XS^.q'[t/x] of Vj/(P(t, y) — )> 
A), then p" corresponds to the assumption that \/y^P{t,y) holds, and essentially stores the current state 
of the program. The term q is what is called a "continuation" in functional programming. In fact, if 
for some n a proof r of P{t,n) is found, then p" yields q{r), that reduces to q'[t/x,r/^], which actually 
restarts the computation from the point in which the wrong assumption \fy-'P{t,y) was made, and, at 
the same time, produces a proof of 3y. P{t, y) and a witness n. According to our construction the same 
effect is achieved by adding P{t,n) to the state. 

We observe that, beside being semantically more perspicuous, the method proposed in the present 
paper is even more general: the algorithm obtained via the functional interpretation of the Friedman's 
translation is essentially sequential and deterministic, the latter being an accidental and arbitrary feature; 
on the other hand with the present construction realizers, and in particular the merge operation that 
they embody, can be implemented in many different ways, also including parallel and non deterministic 
procedures. 

Realizability of classical logic and theories. The extension of Kleene's realizability and of the Curry- 
Howard correspondence between proofs and programs to classical logic and theories began with Griffin's 
discovery, illustrated in [Griffin 1990], that control operators and continuations can be typed by the 
classical law: -i^A — > A. Since then this idea has been pursued by several authors: see e.g. [Murthy 
1991] dealing however with Freedman's translation, and [Krivine 2007], which is directly inspired to the 
Curry-Howard correspondence. A connected development has been by introducing calculi that are to 
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classical proofs what the A-calculus is for intuitionistic ones: see Parigot's A/x-calculus in [Parigot 1992], 
and its development into a symmetric calculus of classical proofs called A^/i-calculus in [Curien and 
Hcrbelin 2000], but also the former "symmetric A-calculus" in [Barbancra and Berardi 1996], exploiting 
similar ideas. With respect to all such works we have departed here because of the concept of realizer 
we have used, which is not based on the idea of continuations nor on that of control operators, but on 
searching and learning. However, and a posteriori, we think that similar remarks could be done as in the 
case of Friedman translation, namely that, on the one hand, we might expect to obtain similar algorithms 
on particular examples; but on the other we have a better explanation of how and why the interpretation 
works, even if, to the time, the present results are limited to proofs of low logical complexity, as repeatedly 
explained in the previous sections, while the above mentioned systems deal with full classical logic and 
arithmetic. 

In [Hayashi 2006] a notion of realizability is introduced for a subclassical arithmetic, called Limit 
Computable Arithmetic (LCM). The theory combines Kleene realizabiliy with Gold learning in the limit, 
which is achieved by asking a realizer to learn the evidence of the realized formula, instead of computing 
such an evidence. The essential departure from Kleene's realizability is of course in the cases oi AW B 
and of 3x. A{x): according to Hayashi a realizer oi A\/ B is pair g{n) = {gi{n), g2(n)) such that lim„ g{n) 
exists and if lim„(7i(n) = then 172 is a guessing function for A, while it is a guessing function of B 
in case lim„(7i(n) ^ 0. Similarly a realizer of 3x. A{x) is a function g{n) = (gi(n), g2(n)) that always 
converges and 32 is guessing function for A(lim.ngi{n)). 

Hayashi's concept of realizer is similar to ours under relevant respects: it is constructed along the proof 
(and by this it is called the proof "animator"), and it is convergent. The fact that LCM uses quantified 
formulas while PRA + EMi is a quantifier free theory is a minor difference, and not a true limitation 
of our approach: see [Aschieri and Berardi 2009]. Rather the essential difference among the learning 
realizability of LCM and the model we present here lies in the use of the proof, and hence of the realizer 
itself. In the case of LCM a realizer is a guessing function, hence a tool for testing guesses which have to 
be provided by a "user" interacting with the proof; in the absence of the user the only strategy to learn 
the truth of the conclusion of the proof is exhaustive blind search. On the contrary an interactive realizer 
in our sense is the basic block of a learning strategy, capable to produce and test hypothesis against the 
"nature", namely that part of the standard model that can be learned within a finite number of steps. 

In [Aschieri and Berardi 2009] essentially the same model that we have studied here is combined with 
Kleene's realizability obtaining an interactive realizability interpretation of HA + EMi. This extension 
of the interactive realizability model makes the terming "realizability" even more acceptable for the 
construction we are proposing. 

However with respect to that work, we take here a different research direction: first we isolate and 
investigate on their own the concepts of individuals, global functions, interactive realizers and merge 
of realizers. These concepts, that are at the hearth of the construction, are somewhat hidden in the 
presence of nested quantifiers, that for example enforce the interpretation of a formula to be of different 
type depending on the formula itself; as a matter of fact in [Aschieri and Berardi 2009] the type of |^] 
is § ^- B only in the case if atomic formulas; consequently also the type of realizers gets arbitrarily 
complex. More, we think that the framing of our model in the theory of strong monads, which is a major 
contribution of the present paper, allows a more general view of the construction and hints to its possible 
extensions to cope with non constructive principles of higher complexity. 

Monads and the interpretation non- constructive proofs. Monads come from category theory, and strong 
monads have been introduced into the world of typed A-calculi and of the foundation of programming 
languages in [Moggi 1991], where the reader will find the definitions of side-effects and continuations 
monads, but not of the monads we use here: for that reason we described the monad S in some detail, 
even if it is a quite simple example of strong monad. 

As it should be clear from the text, we do not make essential use of categorical techniques in our work, 
and base the exposition on simply typed A-calculus. This is coherent with Moggi's original presentation 
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of monads as type constructors of a computational A-calculus, and with the similar treatment of this 
topic e.g. in the book [Amadio and Curien 1998], chapter 8. 

Coquand pointed out in [Coquand 1996] a suggestive connection between the constructive interpretation 
of classical principles and monads, in which monads play for non constructive features the same role that 
they have for simulating imperative aspects into functional programming languages. Indeed the monad 
S is here the main tool for defining formulas interpretation in a non ad-hoc fashion, providing a nice 
characterization of global functions in terms of morphisms of the Kleisli category Sets. It is while 
attempting to devise the right definition of the monad TZ that the monoidal structure of the merge has 
been realized and its basic properties analyzed. 

Beside the theoretical motivations, monads have became a powerful tool to implement non functional 
aspects into functional programming languages, thanks to Moggi's original idea and to the work by Wadler 
(see e.g. [Wadler 1994] and a series of papers thereafter) and many others. It is now a day a common 
practice to model imperative features into functional languages by means of monads, especially by the 
community of Haskel programmers. This relation to the programming practice is not by chance: among 
the basic motivations of the research field we are about here is the desire of methods for using efficiently 
classical logic principles to develop programs whose adequacy to the specification can be formally certified. 

We observe in the main part of the paper that TZX is isomorphic to S ^ (X x S) , that is isomorphic as a 
type (though not as a monad) to the side-effect monad. But the most striking connections with the theme 
of our work, is of course Moggi's monad of continuations, which after Griffin's intuition, is used to type 
control operators by Godel-Gentzen doubly negated types. The fact that we do not find the continuation 
monad at the basis of our construction is easily explained by the limitation to 1-backtracking we have 
put forward: we think that the use of the full strength of continuations would give the possibility of 
interpreting unbounded backtracking, but at the price of loosing any intuition about the relation among 
classical proofs and the interactive algorithms we could derive from them. 

8. CONCLUSIONS 

We have interpreted non-constructive proofs of arithmetical statements which can be obtained by using 
excluded middle over S'j' formulas as procedures that learn about their truth by redefining the value of 
Skolem functions. This process is at the same time an instance of two interpretations of classical logic: 
learning in the limit and 1-backtracking. The structure of proofs is reflected by their realizers, which 
are compositional, and parametric in the composition operation we call "merge" . Realizers inhabit a 
computational type, hence a particular monad; actually monads are the structuring principle on which 
our construction relies. 

As further steps of the presented research, we envisage the recasting of the (existing) extension of 
interactive realizers to HA + EMi in the framework of monads and, more importantly, the generalisation 
of interactive realizers to encompass EMn axiom schemata. 
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